Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-02-11 18:23:19 2019-02-11 18:27:05 226 seconds Show Options Show Log
procmemdump = 1
import_reconstruction = 1
procdump = 0
route = internet
2019-02-11 18:23:20,015 [root] INFO: Date set to: 02-11-19, time set to: 18:23:20, timeout set to: 200
2019-02-11 18:23:20,092 [root] DEBUG: Starting analyzer from: C:\vzhcayeqy
2019-02-11 18:23:20,092 [root] DEBUG: Storing results at: C:\ATQAJghF
2019-02-11 18:23:20,092 [root] DEBUG: Pipe server name: \\.\PIPE\CSxDRRcX
2019-02-11 18:23:20,108 [root] INFO: Analysis package "Extraction" has been specified.
2019-02-11 18:23:21,388 [root] DEBUG: Started auxiliary module Browser
2019-02-11 18:23:21,388 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 18:23:21,388 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 18:23:21,388 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 18:23:21,404 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 18:23:21,418 [root] DEBUG: Started auxiliary module Human
2019-02-11 18:23:21,418 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 18:23:21,418 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 18:23:21,418 [root] DEBUG: Started auxiliary module Usage
2019-02-11 18:23:21,418 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-02-11 18:23:21,418 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-02-11 18:23:22,073 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\corona.mor" with arguments "" with pid 3008
2019-02-11 18:23:22,089 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:22,089 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:22,151 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2019-02-11 18:23:24,164 [lib.api.process] INFO: Successfully resumed process with pid 3008
2019-02-11 18:23:24,164 [root] INFO: Added new process to list with pid: 3008
2019-02-11 18:23:24,273 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:24,273 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:24,289 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:24,305 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x200000
2019-02-11 18:23:24,305 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:24,382 [root] INFO: Monitor successfully loaded in process with pid 3008.
2019-02-11 18:23:29,890 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3510000, RegionSize: 0x46000.
2019-02-11 18:23:29,890 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3510000, AllocationSize: 0x46000, ThreadId: 0x4c4
2019-02-11 18:23:29,890 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3510000 and Type=0x1.
2019-02-11 18:23:29,890 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3510000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:29,890 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3510000
2019-02-11 18:23:29,905 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2202ac
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x7e.
2019-02-11 18:23:29,905 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3510000 and Type=0x0.
2019-02-11 18:23:29,905 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3510000, AllocationBaseExecBpSet = 1 (EIP = 0x2202ac)
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:29,905 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2202ac
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x7e.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,905 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2202dd
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x13.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,905 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2202dd
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,905 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x13.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2202e0
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x13.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2202e0
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0xf0.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x220318
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0xf0.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x220345
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0xef.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x22035c
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x55.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x220318
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x55.
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x220345
2019-02-11 18:23:29,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,937 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x55.
2019-02-11 18:23:29,937 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,937 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x22035c
2019-02-11 18:23:29,937 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3510000.
2019-02-11 18:23:29,937 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3510000: 0x55.
2019-02-11 18:23:29,937 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,937 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3510000
2019-02-11 18:23:29,937 [root] DEBUG: MidPageExecCallback: Breakpoint 1 at Address 0x3510000.
2019-02-11 18:23:29,937 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x3510000, size 0x46000).
2019-02-11 18:23:29,937 [root] DEBUG: DumpPEsInRange: Scanning range 0x3510000 - 0x3556000.
2019-02-11 18:23:29,937 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3510000-0x3556000.
2019-02-11 18:23:29,937 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vzhcayeqy\CAPE\3008_9372923312222019
2019-02-11 18:23:29,937 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\3008_9372923312222019
2019-02-11 18:23:29,951 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3510000 - 0x3556000.
2019-02-11 18:23:29,951 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3510000.
2019-02-11 18:23:29,951 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3510000.
2019-02-11 18:23:29,951 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x3510000.
2019-02-11 18:23:29,951 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:23:29,951 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3560000, RegionSize: 0x29000.
2019-02-11 18:23:29,951 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3560000, AllocationSize: 0x29000, ThreadId: 0x4c4
2019-02-11 18:23:29,951 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3560000 and Type=0x1.
2019-02-11 18:23:29,951 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3560000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:29,951 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3560000
2019-02-11 18:23:29,951 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3510197
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3560000.
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3560000: 0x4.
2019-02-11 18:23:29,951 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3560000 and Type=0x0.
2019-02-11 18:23:29,951 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3560000, AllocationBaseExecBpSet = 1 (EIP = 0x3510197)
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:29,951 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3510197
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3560000.
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3560000: 0x4.
2019-02-11 18:23:29,951 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:29,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3560000.
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:29,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3560000.
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:23:29,967 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x356003c and Type=0x1.
2019-02-11 18:23:29,967 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x356003c (EIP = 0x351024c)
2019-02-11 18:23:29,967 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:29,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x356003c.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49494968 (perhaps writing incomplete).
2019-02-11 18:23:29,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x356003c.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49490068 (perhaps writing incomplete).
2019-02-11 18:23:29,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x356003c.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49000068 (perhaps writing incomplete).
2019-02-11 18:23:29,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:29,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x356003c.
2019-02-11 18:23:29,967 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3560068 and Type=0x1.
2019-02-11 18:23:29,983 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,983 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3560068 (EIP = 0x351024c)
2019-02-11 18:23:29,983 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:23:29,983 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3560068.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x49490c50.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:29,983 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3560068.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x49494550.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:29,983 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3560068.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x49004550.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:29,983 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3560068.
2019-02-11 18:23:29,983 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3560090 and Type=0x1.
2019-02-11 18:23:29,983 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x351024c).
2019-02-11 18:23:29,983 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:29,983 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,983 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3560090.
2019-02-11 18:23:29,983 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x4c9f5900 and Type=0x0.
2019-02-11 18:23:29,983 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,983 [root] DEBUG: EntryPointWriteCallback: Execution bp 2 set on EntryPoint 0x4c9f5900 (EIP = 0x351024c).
2019-02-11 18:23:29,983 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:29,999 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3560090.
2019-02-11 18:23:29,999 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x4c9f1000 and Type=0x0.
2019-02-11 18:23:29,999 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 2 to 0x4c9f1000 (EIP = 0x351024c).
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:29,999 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3560090.
2019-02-11 18:23:29,999 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x4c561000 and Type=0x0.
2019-02-11 18:23:29,999 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 2 to 0x4c561000 (EIP = 0x351024c).
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:29,999 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x351024c
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3560090.
2019-02-11 18:23:29,999 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x3561000 and Type=0x0.
2019-02-11 18:23:29,999 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 2 to 0x3561000 (EIP = 0x351024c).
2019-02-11 18:23:29,999 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:29,999 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3f0000, RegionSize: 0x2000.
2019-02-11 18:23:29,999 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3560000.
2019-02-11 18:23:30,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x3560000 - 0x3589000.
2019-02-11 18:23:30,015 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3560000
2019-02-11 18:23:30,015 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-02-11 18:23:30,015 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3560000
2019-02-11 18:23:30,015 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\3008_153023312222019
2019-02-11 18:23:30,015 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-02-11 18:23:30,015 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3560000.
2019-02-11 18:23:30,015 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3560001-0x3589000.
2019-02-11 18:23:30,015 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:23:30,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3560000 - 0x3589000.
2019-02-11 18:23:30,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3560090.
2019-02-11 18:23:30,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3560000.
2019-02-11 18:23:30,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x3561000.
2019-02-11 18:23:30,015 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3f0000, AllocationSize: 0x2000, ThreadId: 0x4c4
2019-02-11 18:23:30,015 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3f0000 and Type=0x1.
2019-02-11 18:23:30,015 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3f0000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:30,015 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3f0000
2019-02-11 18:23:30,029 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3511e62
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0x55.
2019-02-11 18:23:30,029 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3f0000 and Type=0x0.
2019-02-11 18:23:30,029 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3f0000, AllocationBaseExecBpSet = 1 (EIP = 0x3511e62)
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:30,029 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3511e62
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3f0000.
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0x55.
2019-02-11 18:23:30,029 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:30,029 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3f0000
2019-02-11 18:23:30,029 [root] DEBUG: MidPageExecCallback: Breakpoint 1 at Address 0x3f0000.
2019-02-11 18:23:30,029 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x3f0000, size 0x2000).
2019-02-11 18:23:30,029 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x3f2000.
2019-02-11 18:23:30,029 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0000-0x3f2000.
2019-02-11 18:23:30,029 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vzhcayeqy\CAPE\3008_303023312222019
2019-02-11 18:23:30,029 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\3008_303023312222019
2019-02-11 18:23:30,029 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x3f2000.
2019-02-11 18:23:30,029 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3f0000.
2019-02-11 18:23:30,046 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3f0000.
2019-02-11 18:23:30,046 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x3f0000.
2019-02-11 18:23:30,046 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:23:30,076 [root] INFO: Announced 32-bit process name: corona.mor pid: 828
2019-02-11 18:23:30,076 [root] INFO: Added new process to list with pid: 828
2019-02-11 18:23:30,076 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,076 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,076 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 828
2019-02-11 18:23:30,092 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:30,140 [root] INFO: Notified of termination of process with pid 3008.
2019-02-11 18:23:30,154 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:30,201 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:30,233 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:30,249 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2019-02-11 18:23:30,249 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:30,249 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:30,249 [lib.api.process] WARNING: Unable to find process dump for process 3008.
2019-02-11 18:23:30,249 [root] INFO: Process with pid 3008 has terminated
2019-02-11 18:23:30,311 [root] INFO: Monitor successfully loaded in process with pid 828.
2019-02-11 18:23:30,483 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2288
2019-02-11 18:23:30,483 [root] INFO: Added new process to list with pid: 2288
2019-02-11 18:23:30,483 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,497 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,545 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2288
2019-02-11 18:23:30,561 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1664
2019-02-11 18:23:30,561 [root] INFO: Added new process to list with pid: 1664
2019-02-11 18:23:30,561 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,561 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,561 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1664
2019-02-11 18:23:30,592 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1732
2019-02-11 18:23:30,592 [root] INFO: Added new process to list with pid: 1732
2019-02-11 18:23:30,592 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,592 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,638 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1732
2019-02-11 18:23:30,638 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:30,654 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:30,654 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:30,654 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:30,654 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:30,654 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:30,654 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:30,654 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:30,654 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1a0000
2019-02-11 18:23:30,654 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:30,670 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x160000
2019-02-11 18:23:30,670 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:30,670 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x160000
2019-02-11 18:23:30,670 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:30,670 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:30,670 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:30,670 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:30,670 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:30,670 [root] INFO: Monitor successfully loaded in process with pid 1664.
2019-02-11 18:23:30,686 [root] INFO: Monitor successfully loaded in process with pid 2288.
2019-02-11 18:23:30,686 [root] INFO: Monitor successfully loaded in process with pid 1732.
2019-02-11 18:23:30,686 [root] INFO: Announced 32-bit process name: cpspoa.mor pid: 1988
2019-02-11 18:23:30,686 [root] INFO: Added new process to list with pid: 1988
2019-02-11 18:23:30,686 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,700 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,795 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-02-11 18:23:30,795 [root] INFO: Notified of termination of process with pid 828.
2019-02-11 18:23:30,795 [root] INFO: Announced 32-bit process name: powershell.exe pid: 1828
2019-02-11 18:23:30,795 [root] INFO: Added new process to list with pid: 1828
2019-02-11 18:23:30,795 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,825 [root] INFO: Announced 32-bit process name: sc.exe pid: 3064
2019-02-11 18:23:30,825 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,842 [root] INFO: Added new process to list with pid: 3064
2019-02-11 18:23:30,872 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:30,872 [root] INFO: Announced 32-bit process name: sc.exe pid: 860
2019-02-11 18:23:30,888 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,888 [root] INFO: Added new process to list with pid: 860
2019-02-11 18:23:30,888 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1828
2019-02-11 18:23:30,888 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:30,920 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:30,934 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,934 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:30,934 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:30,934 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3064
2019-02-11 18:23:30,982 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:30,982 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2019-02-11 18:23:30,982 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:30,997 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:30,997 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:30,997 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 860
2019-02-11 18:23:31,043 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:31,043 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:31,059 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x170000
2019-02-11 18:23:31,059 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:31,075 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:31,075 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-02-11 18:23:31,091 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:31,091 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:31,091 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:31,091 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:31,107 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:31,107 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1b0000
2019-02-11 18:23:31,107 [root] INFO: Monitor successfully loaded in process with pid 1828.
2019-02-11 18:23:31,107 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2019-02-11 18:23:31,107 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:31,107 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:31,107 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:31,154 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:31,154 [root] INFO: Monitor successfully loaded in process with pid 3064.
2019-02-11 18:23:31,184 [root] INFO: Monitor successfully loaded in process with pid 860.
2019-02-11 18:23:31,263 [lib.api.process] WARNING: Unable to find process dump for process 828.
2019-02-11 18:23:31,263 [root] INFO: Process with pid 828 has terminated
2019-02-11 18:23:31,293 [root] INFO: Notified of termination of process with pid 3064.
2019-02-11 18:23:31,341 [root] INFO: Notified of termination of process with pid 860.
2019-02-11 18:23:31,355 [root] INFO: Notified of termination of process with pid 2288.
2019-02-11 18:23:31,355 [root] INFO: Notified of termination of process with pid 1664.
2019-02-11 18:23:32,276 [lib.api.process] WARNING: Unable to find process dump for process 2288.
2019-02-11 18:23:32,276 [root] INFO: Process with pid 2288 has terminated
2019-02-11 18:23:32,292 [lib.api.process] WARNING: Unable to find process dump for process 3064.
2019-02-11 18:23:32,292 [root] INFO: Process with pid 3064 has terminated
2019-02-11 18:23:32,681 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3fb0000, RegionSize: 0x70000.
2019-02-11 18:23:32,681 [root] DEBUG: NtAllocateVirtualMemory hook: Memory reserved but not committed at 0x3fb0000.
2019-02-11 18:23:32,792 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3fe2000, RegionSize: 0x2000.
2019-02-11 18:23:32,806 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3fb0000.
2019-02-11 18:23:32,806 [root] DEBUG: DumpPEsInRange: Scanning range 0x0 - 0x30000.
2019-02-11 18:23:32,806 [root] DEBUG: ScanForDisguisedPE: Exception occured reading memory address 0x0
2019-02-11 18:23:32,806 [root] DEBUG: SetCapeMetaData: Extraction type with no PID - error.
2019-02-11 18:23:32,806 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x3fb0000.
2019-02-11 18:23:32,806 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x0
2019-02-11 18:23:32,822 [root] DEBUG: NtAllocateVirtualMemory hook: Failed to dump memory range at 0x3fb0000.
2019-02-11 18:23:32,822 [root] DEBUG: NtAllocateVirtualMemory hook: Previously marked memory range at: 0x3fb0000 is empty or inaccessible.
2019-02-11 18:23:32,822 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3fb0000 - 0x4020000.
2019-02-11 18:23:32,822 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3fe2000, AllocationSize: 0x2000, ThreadId: 0x1c8
2019-02-11 18:23:32,822 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xbc, Size=0x2, Address=0x3fe2000 and Type=0x1.
2019-02-11 18:23:32,838 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3fe2000, size 2 with Callback 0x74af3100, ThreadHandle = 0xbc.
2019-02-11 18:23:32,838 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3fe2000
2019-02-11 18:23:32,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x73d972fe
2019-02-11 18:23:32,838 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3fe2000.
2019-02-11 18:23:32,838 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3fe2000: 0x0.
2019-02-11 18:23:32,854 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3fe2000 and Type=0x0.
2019-02-11 18:23:32,854 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:32,854 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3fe2000, AllocationBaseExecBpSet = 1 (EIP = 0x73d972fe)
2019-02-11 18:23:32,854 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:32,869 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x73ee04fd
2019-02-11 18:23:32,869 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3fe2000.
2019-02-11 18:23:32,869 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3fe2000: 0xec.
2019-02-11 18:23:32,869 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:33,305 [lib.api.process] WARNING: Unable to find process dump for process 1664.
2019-02-11 18:23:33,305 [root] INFO: Process with pid 1664 has terminated
2019-02-11 18:23:33,352 [lib.api.process] WARNING: Unable to find process dump for process 860.
2019-02-11 18:23:33,352 [root] INFO: Process with pid 860 has terminated
2019-02-11 18:23:34,430 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x8330000, RegionSize: 0x1d0000.
2019-02-11 18:23:34,430 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3fe2000.
2019-02-11 18:23:34,430 [root] DEBUG: DumpPEsInRange: Scanning range 0x3fe0000 - 0x3fe2000.
2019-02-11 18:23:34,430 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3fe0000-0x3fe2000.
2019-02-11 18:23:34,430 [root] DEBUG: NtAllocateVirtualMemory hook: dumping memory range at 0x3fe2000.
2019-02-11 18:23:34,444 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vzhcayeqy\CAPE\1828_4455423312222019
2019-02-11 18:23:34,444 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\1828_4455423312222019
2019-02-11 18:23:34,460 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3fe2000 - 0x3fe4000.
2019-02-11 18:23:34,460 [root] DEBUG: NtAllocateVirtualMemory hook: Memory reserved but not committed at 0x8330000.
2019-02-11 18:23:34,569 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4040000, RegionSize: 0x2000.
2019-02-11 18:23:34,569 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4040000, AllocationSize: 0x2000, ThreadId: 0x340
2019-02-11 18:23:34,569 [root] DEBUG: SetNextAvailableBreakpoint: Creating new thread breakpoints for thread 0x340.
2019-02-11 18:23:34,569 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x458, Size=0x2, Address=0x4040000 and Type=0x1.
2019-02-11 18:23:34,585 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4040000, size 2 with Callback 0x74af3100, ThreadHandle = 0x458.
2019-02-11 18:23:34,585 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4040000
2019-02-11 18:23:34,585 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x73e612e1
2019-02-11 18:23:34,585 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4040000.
2019-02-11 18:23:34,585 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4040000: 0x0.
2019-02-11 18:23:34,601 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4040000 and Type=0x0.
2019-02-11 18:23:34,601 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:34,601 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x4040000, AllocationBaseExecBpSet = 1 (EIP = 0x73e612e1)
2019-02-11 18:23:34,601 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:34,742 [root] DEBUG: DumpPEsInRange: Scanning range 0x4040000 - 0x4044000.
2019-02-11 18:23:34,756 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4040000-0x4044000.
2019-02-11 18:23:34,756 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vzhcayeqy\CAPE\1828_7575423312222019
2019-02-11 18:23:34,773 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\1828_7575423312222019
2019-02-11 18:23:34,773 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4040000 - 0x4042000.
2019-02-11 18:23:34,773 [root] DEBUG: TerminateHandler: successfully dumped memory range at 0x0.
2019-02-11 18:23:34,788 [root] INFO: Notified of termination of process with pid 1828.
2019-02-11 18:23:34,788 [root] INFO: Notified of termination of process with pid 1732.
2019-02-11 18:23:35,381 [lib.api.process] WARNING: Unable to find process dump for process 1732.
2019-02-11 18:23:35,381 [root] INFO: Process with pid 1732 has terminated
2019-02-11 18:23:35,397 [lib.api.process] WARNING: Unable to find process dump for process 1828.
2019-02-11 18:23:35,397 [root] INFO: Process with pid 1828 has terminated
2019-02-11 18:23:39,467 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x4c0000, RegionSize: 0x46000.
2019-02-11 18:23:39,467 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x4c0000, AllocationSize: 0x46000, ThreadId: 0x45c
2019-02-11 18:23:39,483 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x4c0000 and Type=0x1.
2019-02-11 18:23:39,483 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x4c0000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:39,483 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x4c0000
2019-02-11 18:23:39,500 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2902ac
2019-02-11 18:23:39,500 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,500 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x7e.
2019-02-11 18:23:39,515 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x4c0000 and Type=0x0.
2019-02-11 18:23:39,515 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:39,515 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x4c0000, AllocationBaseExecBpSet = 1 (EIP = 0x2902ac)
2019-02-11 18:23:39,515 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:39,530 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2902ac
2019-02-11 18:23:39,530 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,530 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x7e.
2019-02-11 18:23:39,546 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,546 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2902dd
2019-02-11 18:23:39,546 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,562 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x13.
2019-02-11 18:23:39,562 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,562 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2902dd
2019-02-11 18:23:39,578 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,578 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x13.
2019-02-11 18:23:39,578 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,578 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2902e0
2019-02-11 18:23:39,592 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,592 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x13.
2019-02-11 18:23:39,592 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,608 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2902e0
2019-02-11 18:23:39,608 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,608 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0xf0.
2019-02-11 18:23:39,624 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,624 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x290318
2019-02-11 18:23:39,624 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,624 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0xf0.
2019-02-11 18:23:39,640 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,640 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x290345
2019-02-11 18:23:39,640 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,655 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0xef.
2019-02-11 18:23:39,655 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,655 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x29035c
2019-02-11 18:23:39,671 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,671 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x55.
2019-02-11 18:23:39,671 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,687 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x290318
2019-02-11 18:23:39,687 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,687 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x55.
2019-02-11 18:23:39,687 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,701 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x290345
2019-02-11 18:23:39,701 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,701 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x55.
2019-02-11 18:23:39,717 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,717 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x29035c
2019-02-11 18:23:39,717 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x4c0000.
2019-02-11 18:23:39,717 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4c0000: 0x55.
2019-02-11 18:23:39,733 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,733 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c0000
2019-02-11 18:23:39,733 [root] DEBUG: MidPageExecCallback: Breakpoint 1 at Address 0x4c0000.
2019-02-11 18:23:39,749 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x4c0000, size 0x46000).
2019-02-11 18:23:39,749 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x506000.
2019-02-11 18:23:39,749 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x506000.
2019-02-11 18:23:39,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vzhcayeqy\CAPE\1988_7493923312222019
2019-02-11 18:23:39,779 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\1988_7493923312222019
2019-02-11 18:23:39,779 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4c0000 - 0x506000.
2019-02-11 18:23:39,796 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4c0000.
2019-02-11 18:23:39,796 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x4c0000.
2019-02-11 18:23:39,796 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x4c0000.
2019-02-11 18:23:39,812 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:23:39,812 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3570000, RegionSize: 0x29000.
2019-02-11 18:23:39,812 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3570000, AllocationSize: 0x29000, ThreadId: 0x45c
2019-02-11 18:23:39,812 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3570000 and Type=0x1.
2019-02-11 18:23:39,826 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3570000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:39,826 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3570000
2019-02-11 18:23:39,826 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c0197
2019-02-11 18:23:39,842 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3570000.
2019-02-11 18:23:39,842 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3570000: 0x4.
2019-02-11 18:23:39,842 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3570000 and Type=0x0.
2019-02-11 18:23:39,858 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:39,858 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3570000, AllocationBaseExecBpSet = 1 (EIP = 0x4c0197)
2019-02-11 18:23:39,858 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:39,874 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c0197
2019-02-11 18:23:39,874 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3570000.
2019-02-11 18:23:39,874 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3570000: 0x4.
2019-02-11 18:23:39,890 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:39,890 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:39,904 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3570000.
2019-02-11 18:23:39,904 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 18:23:39,921 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:39,921 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:39,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3570000.
2019-02-11 18:23:39,921 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:23:39,936 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x357003c and Type=0x1.
2019-02-11 18:23:39,936 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:39,936 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x357003c (EIP = 0x4c024c)
2019-02-11 18:23:39,951 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:39,951 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:39,967 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x357003c.
2019-02-11 18:23:39,967 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49494968 (perhaps writing incomplete).
2019-02-11 18:23:39,983 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:39,983 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:39,999 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x357003c.
2019-02-11 18:23:39,999 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49490068 (perhaps writing incomplete).
2019-02-11 18:23:40,013 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,029 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:40,029 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x357003c.
2019-02-11 18:23:40,029 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x49000068 (perhaps writing incomplete).
2019-02-11 18:23:40,046 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,046 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:40,046 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x357003c.
2019-02-11 18:23:40,061 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3570068 and Type=0x1.
2019-02-11 18:23:40,061 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,061 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x3570068 (EIP = 0x4c024c)
2019-02-11 18:23:40,061 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:23:40,076 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,076 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3570068.
2019-02-11 18:23:40,076 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x49490c50.
2019-02-11 18:23:40,092 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:40,092 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,092 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3570068.
2019-02-11 18:23:40,092 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x49494550.
2019-02-11 18:23:40,108 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:40,108 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,108 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3570068.
2019-02-11 18:23:40,124 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x49004550.
2019-02-11 18:23:40,124 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:40,124 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,124 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x3570068.
2019-02-11 18:23:40,138 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x3570090 and Type=0x1.
2019-02-11 18:23:40,138 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,154 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x4c024c).
2019-02-11 18:23:40,154 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:40,170 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,170 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3570090.
2019-02-11 18:23:40,170 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x4ca05900 and Type=0x0.
2019-02-11 18:23:40,186 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,186 [root] DEBUG: EntryPointWriteCallback: Execution bp 2 set on EntryPoint 0x4ca05900 (EIP = 0x4c024c).
2019-02-11 18:23:40,186 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:40,186 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,201 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3570090.
2019-02-11 18:23:40,201 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x4ca01000 and Type=0x0.
2019-02-11 18:23:40,201 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,217 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 2 to 0x4ca01000 (EIP = 0x4c024c).
2019-02-11 18:23:40,217 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:40,233 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,233 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3570090.
2019-02-11 18:23:40,233 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x4c571000 and Type=0x0.
2019-02-11 18:23:40,247 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,247 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 2 to 0x4c571000 (EIP = 0x4c024c).
2019-02-11 18:23:40,247 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:40,263 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c024c
2019-02-11 18:23:40,263 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x3570090.
2019-02-11 18:23:40,263 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x3571000 and Type=0x0.
2019-02-11 18:23:40,279 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,279 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 2 to 0x3571000 (EIP = 0x4c024c).
2019-02-11 18:23:40,295 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:40,311 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3e0000, RegionSize: 0x2000.
2019-02-11 18:23:40,311 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3570000.
2019-02-11 18:23:40,325 [root] DEBUG: DumpPEsInRange: Scanning range 0x3570000 - 0x3599000.
2019-02-11 18:23:40,325 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3570000
2019-02-11 18:23:40,325 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-02-11 18:23:40,342 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x3570000
2019-02-11 18:23:40,372 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\1988_3424023312222019
2019-02-11 18:23:40,388 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-02-11 18:23:40,404 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3570000.
2019-02-11 18:23:40,420 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3570001-0x3599000.
2019-02-11 18:23:40,436 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:23:40,436 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3570000 - 0x3599000.
2019-02-11 18:23:40,436 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3570090.
2019-02-11 18:23:40,450 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3570000.
2019-02-11 18:23:40,450 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x3571000.
2019-02-11 18:23:40,450 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3e0000, AllocationSize: 0x2000, ThreadId: 0x45c
2019-02-11 18:23:40,467 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3e0000 and Type=0x1.
2019-02-11 18:23:40,467 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3e0000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:40,467 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3e0000
2019-02-11 18:23:40,482 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c1e62
2019-02-11 18:23:40,482 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-02-11 18:23:40,513 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x55.
2019-02-11 18:23:40,513 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3e0000 and Type=0x0.
2019-02-11 18:23:40,513 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,529 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3e0000, AllocationBaseExecBpSet = 1 (EIP = 0x4c1e62)
2019-02-11 18:23:40,529 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:40,545 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4c1e62
2019-02-11 18:23:40,545 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-02-11 18:23:40,559 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x55.
2019-02-11 18:23:40,559 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:40,559 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x3e0000
2019-02-11 18:23:40,575 [root] DEBUG: MidPageExecCallback: Breakpoint 1 at Address 0x3e0000.
2019-02-11 18:23:40,575 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x3e0000, size 0x2000).
2019-02-11 18:23:40,575 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3e2000.
2019-02-11 18:23:40,575 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3e2000.
2019-02-11 18:23:40,592 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vzhcayeqy\CAPE\1988_5924023312222019
2019-02-11 18:23:40,607 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\1988_5924023312222019
2019-02-11 18:23:40,607 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3e2000.
2019-02-11 18:23:40,607 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3e0000.
2019-02-11 18:23:40,622 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3e0000.
2019-02-11 18:23:40,622 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x3e0000.
2019-02-11 18:23:40,622 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 18:23:40,638 [root] INFO: Announced 32-bit process name: cpspoa.mor pid: 2860
2019-02-11 18:23:40,638 [root] INFO: Added new process to list with pid: 2860
2019-02-11 18:23:40,638 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:40,654 [lib.api.process] INFO: 32-bit DLL to inject is C:\vzhcayeqy\dll\lclBzFUe.dll, loader C:\vzhcayeqy\bin\dRanDob.exe
2019-02-11 18:23:40,654 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2860
2019-02-11 18:23:40,700 [root] DEBUG: Process memory dumps enabled.
2019-02-11 18:23:40,700 [root] INFO: Notified of termination of process with pid 1988.
2019-02-11 18:23:40,716 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 18:23:40,732 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2019-02-11 18:23:40,747 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x280000
2019-02-11 18:23:40,747 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:23:40,763 [root] INFO: Disabling sleep skipping.
2019-02-11 18:23:40,779 [root] INFO: Monitor successfully loaded in process with pid 2860.
2019-02-11 18:23:40,825 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x3e0000, RegionSize: 0x1e000.
2019-02-11 18:23:40,825 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x3e0000, AllocationSize: 0x1e000, ThreadId: 0x960
2019-02-11 18:23:40,825 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x3e0000 and Type=0x1.
2019-02-11 18:23:40,841 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x3e0000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:40,841 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x3e0000
2019-02-11 18:23:40,841 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415bb6
2019-02-11 18:23:40,857 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x3e0000.
2019-02-11 18:23:40,857 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3e0000: 0x0.
2019-02-11 18:23:40,857 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x3e0000 and Type=0x0.
2019-02-11 18:23:40,871 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:40,888 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x3e0000, AllocationBaseExecBpSet = 1 (EIP = 0x415bb6)
2019-02-11 18:23:40,888 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:40,888 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x530000, RegionSize: 0x4000.
2019-02-11 18:23:40,904 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x3e0000.
2019-02-11 18:23:40,904 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3fe000.
2019-02-11 18:23:40,904 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3e0000
2019-02-11 18:23:40,918 [root] DEBUG: DumpPEsInRange: Disguised PE image (bad MZ and/or PE headers) at 0x3e0000.
2019-02-11 18:23:40,918 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-02-11 18:23:40,934 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x21f9a50
2019-02-11 18:23:40,950 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\2860_935024312222019
2019-02-11 18:23:40,966 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-02-11 18:23:40,966 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3e0000.
2019-02-11 18:23:40,982 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0001-0x3fe000.
2019-02-11 18:23:40,982 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:23:40,982 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3fe000.
2019-02-11 18:23:40,982 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x3e0000.
2019-02-11 18:23:40,996 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x3e0000.
2019-02-11 18:23:40,996 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x530000, AllocationSize: 0x4000, ThreadId: 0x960
2019-02-11 18:23:41,013 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x530000 and Type=0x1.
2019-02-11 18:23:41,013 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x530000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:41,028 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x530000
2019-02-11 18:23:41,028 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415bb6
2019-02-11 18:23:41,043 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x530000.
2019-02-11 18:23:41,043 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 18:23:41,043 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x53003c and Type=0x1.
2019-02-11 18:23:41,059 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,059 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x53003c (EIP = 0x415bb6)
2019-02-11 18:23:41,059 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:41,075 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415c5f
2019-02-11 18:23:41,075 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:41,075 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x53003c.
2019-02-11 18:23:41,091 [root] DEBUG: PEPointerWriteCallback: pointer to PE header too big: 0x4cc0 (perhaps writing incomplete).
2019-02-11 18:23:41,091 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415c44
2019-02-11 18:23:41,091 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 18:23:41,105 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x53003c.
2019-02-11 18:23:41,105 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5300c0 and Type=0x1.
2019-02-11 18:23:41,105 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,121 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x5300c0 (EIP = 0x415c44)
2019-02-11 18:23:41,121 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 18:23:41,121 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415c5f
2019-02-11 18:23:41,138 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5300c0.
2019-02-11 18:23:41,138 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0xe4550.
2019-02-11 18:23:41,138 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:41,153 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415cd2
2019-02-11 18:23:41,153 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x5300c0.
2019-02-11 18:23:41,153 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x5300e8 and Type=0x1.
2019-02-11 18:23:41,168 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,168 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x415cd2).
2019-02-11 18:23:41,168 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 18:23:41,184 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415c44
2019-02-11 18:23:41,184 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5300e8.
2019-02-11 18:23:41,200 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x5300f0 and Type=0x0.
2019-02-11 18:23:41,200 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,200 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x5300f0 (EIP = 0x415c44).
2019-02-11 18:23:41,216 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:41,216 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415c5f
2019-02-11 18:23:41,216 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5300e8.
2019-02-11 18:23:41,230 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0xa51a20 and Type=0x0.
2019-02-11 18:23:41,230 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,230 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0xa51a20 (EIP = 0x415c5f).
2019-02-11 18:23:41,246 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:41,246 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415c44
2019-02-11 18:23:41,246 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x5300e8.
2019-02-11 18:23:41,262 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x531a20 and Type=0x0.
2019-02-11 18:23:41,262 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,262 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x531a20 (EIP = 0x415c44).
2019-02-11 18:23:41,278 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 18:23:41,278 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x10000000, RegionSize: 0x7000.
2019-02-11 18:23:41,278 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x530000.
2019-02-11 18:23:41,293 [root] DEBUG: DumpPEsInRange: Scanning range 0x530000 - 0x534000.
2019-02-11 18:23:41,293 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x530000
2019-02-11 18:23:41,293 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-02-11 18:23:41,309 [root] DEBUG: CAPEExceptionFilter: Exception in cuckoomon caught (expected in memory scans), passing to next handler.
2019-02-11 18:23:41,309 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x534000
2019-02-11 18:23:41,309 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-02-11 18:23:41,325 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x530000
2019-02-11 18:23:41,339 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\2860_325124312222019
2019-02-11 18:23:41,339 [root] DEBUG: DumpPE: PE file in memory dumped successfully.
2019-02-11 18:23:41,355 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x530000.
2019-02-11 18:23:41,355 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x530001-0x534000.
2019-02-11 18:23:41,371 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 18:23:41,371 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x530000 - 0x534000.
2019-02-11 18:23:41,371 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5300e8.
2019-02-11 18:23:41,371 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x531a20.
2019-02-11 18:23:41,387 [root] DEBUG: NtAllocateVirtualMemory hook: Memory reserved but not committed at 0x10000000.
2019-02-11 18:23:41,387 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x10001000, RegionSize: 0x3000.
2019-02-11 18:23:41,403 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x10001000, AllocationSize: 0x3000, ThreadId: 0x960
2019-02-11 18:23:41,403 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x2, Address=0x10001000 and Type=0x1.
2019-02-11 18:23:41,403 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x10001000, size 2 with Callback 0x74af3100, ThreadHandle = 0xac.
2019-02-11 18:23:41,417 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x10001000
2019-02-11 18:23:41,417 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415e04
2019-02-11 18:23:41,417 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x10001000.
2019-02-11 18:23:41,434 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x10001000: 0x0.
2019-02-11 18:23:41,434 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x10001000 and Type=0x0.
2019-02-11 18:23:41,434 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 18:23:41,450 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x10001000, AllocationBaseExecBpSet = 1 (EIP = 0x415e04)
2019-02-11 18:23:41,450 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 18:23:41,450 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415e04
2019-02-11 18:23:41,464 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x10001000.
2019-02-11 18:23:41,464 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x10001000: 0x0.
2019-02-11 18:23:41,464 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:41,480 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415a3c
2019-02-11 18:23:41,480 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x10001000.
2019-02-11 18:23:41,480 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x10001000: 0x48.
2019-02-11 18:23:41,496 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:41,496 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x415a3c
2019-02-11 18:23:41,512 [lib.api.process] WARNING: Unable to find process dump for process 1988.
2019-02-11 18:23:41,512 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x10001000.
2019-02-11 18:23:41,512 [root] INFO: Process with pid 1988 has terminated
2019-02-11 18:23:41,512 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x10001000: 0x48.
2019-02-11 18:23:41,512 [root] DEBUG: BaseAddressWriteCallback: allocation exec bp already set, doing nothing.
2019-02-11 18:23:41,528 [root] DEBUG: ProtectionHandler: Address: 0x10001000, RegionSize: 0x2b8a
2019-02-11 18:23:41,528 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x10001000.
2019-02-11 18:23:41,528 [root] DEBUG: DumpPEsInRange: Scanning range 0x10000000 - 0x10003000.
2019-02-11 18:23:41,559 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x10000000
2019-02-11 18:23:41,559 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:23:41,559 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x10000000
2019-02-11 18:23:41,573 [root] DEBUG: DumpProcess: Module entry point VA is 0x10001a20
2019-02-11 18:23:41,589 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\2860_574124312222019
2019-02-11 18:23:41,605 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:23:41,605 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x10000000.
2019-02-11 18:23:41,605 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x10000001-0x10003000.
2019-02-11 18:23:41,621 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:23:41,621 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10001000 - 0x10004000.
2019-02-11 18:23:41,621 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x10001000.
2019-02-11 18:23:41,637 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x10001000.
2019-02-11 18:23:41,637 [root] DEBUG: DumpPEsInRange: Scanning range 0x10000000 - 0x10003000.
2019-02-11 18:23:41,637 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x10000000
2019-02-11 18:23:41,651 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:23:41,651 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x10000000
2019-02-11 18:23:41,651 [root] DEBUG: DumpProcess: Module entry point VA is 0x10001a20
2019-02-11 18:23:41,684 [root] INFO: Added new CAPE file to list with path: C:\vzhcayeqy\CAPE\2860_668124312222019
2019-02-11 18:23:41,684 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:23:41,698 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x10000000.
2019-02-11 18:23:41,698 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x10000001-0x10003000.
2019-02-11 18:23:41,698 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 18:23:41,714 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x10001000 and Type=0x0.
2019-02-11 18:23:41,714 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x10001000, size 0 with Callback 0x74af2e90, ThreadHandle = 0xac.
2019-02-11 18:23:41,714 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x10001000, AllocationBaseExecBpSet = 1
2019-02-11 18:23:41,730 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1504
2019-02-11 18:23:41,730 [root] INFO: Added new process to list with pid: 1504
2019-02-11 18:23:41,746 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:23:41,746 [lib.api.process] INFO: 64-bit DLL to inject is C:\vzhcayeqy\dll\vIZfUnq.dll, loader C:\vzhcayeqy\bin\AtcBQlTY.exe
2019-02-11 18:23:41,762 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1504
2019-02-11 18:23:43,197 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-02-11 18:23:44,569 [lib.api.process] WARNING: Unable to find process dump for process 2860.
2019-02-11 18:23:44,569 [root] INFO: Process with pid 2860 has terminated
2019-02-11 18:26:46,138 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-02-11 18:26:46,138 [root] INFO: Created shutdown mutex.
2019-02-11 18:26:47,151 [root] INFO: Setting terminate event for process 1504.
2019-02-11 18:26:47,151 [root] INFO: Shutting down package.
2019-02-11 18:26:47,167 [lib.api.process] WARNING: Unable to find process dump for process 1504.
2019-02-11 18:26:47,167 [root] INFO: Stopping auxiliary modules.
2019-02-11 18:26:47,167 [root] INFO: Finishing auxiliary modules.
2019-02-11 18:26:47,167 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-02-11 18:26:47,167 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-02-11 18:23:19 2019-02-11 18:26:59

File Details

File Name corona.mor
File Size 394048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4c828e6887c195250b3ac3b702bf61ac
SHA1 1a638b7c5cc88945c44668d59849cbb0eee6463b
SHA256 e30f1ea0b6e3b7fa083270a1de65103b54ee7c78049282ae17060435dfbee051
SHA512 6a43339f3a5fd1128e4f0a7324d6325f1cdc02c34c061def837c473df16c774798d62ec9b44b7d40a2a61500e772fc3755fa0fa20cbf9c32eb3ffbdf116b5609
CRC32 348E07E5
Ssdeep 6144:3XR8wObqRyN8tc7rmr4vkU4FWJkcby0I8IdUZTm+m9PG9+BeDHGFm:3BQKc7rUEyWdI8ISlCBIIm
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3008 trigged the Yara rule 'shellcode'
Hit: PID 3008 trigged the Yara rule 'HeavensGate'
Possible date expiration check, exits too soon after checking local time
process: powershell.exe, PID 1828
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorImageUnloading
DynamicLoader: mscoree.dll/_CorValidateImage
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: mscoree.dll/DllGetClassObject
DynamicLoader: mscoreei.dll/DllGetClassObject_RetAddr
DynamicLoader: mscoreei.dll/DllGetClassObject
DynamicLoader: diasymreader.dll/DllGetClassObjectInternal
DynamicLoader: kernel32.dll/GetConsoleOutputCP
DynamicLoader: kernel32.dll/GetConsoleOutputCPW
DynamicLoader: GDI32.dll/TranslateCharsetInfo
DynamicLoader: GDI32.dll/TranslateCharsetInfoW
DynamicLoader: kernel32.dll/SetConsoleTextAttribute
DynamicLoader: kernel32.dll/SetConsoleTextAttributeW
DynamicLoader: kernel32.dll/WriteConsole
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
A process created a hidden window
Process: corona.mor -> C:\Users\user\AppData\Local\Temp\corona.mor
Process: cpspoa.mor -> C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
A scripting utility was executed
command: C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: powershell Set-MpPreference -DisableRealtimeMonitoring $true
Uses Windows utilities for basic functionality
command: C:\Windows\system32\cmd.exe /c sc stop WinDefend
command: C:\Windows\system32\cmd.exe /c sc stop WinDefend
command: C:\Windows\system32\cmd.exe /c sc delete WinDefend
command: C:\Windows\system32\cmd.exe /c sc delete WinDefend
command: C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: sc delete WinDefend
command: sc stop WinDefend
Attempts to stop active services
servicename: WinDefend
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\SysWOW64\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\*
C:\Users\user\AppData\Roaming\cleanmem
C:\Users\user\AppData\Local\Temp\corona.mor
C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
C:\Windows\System32
C:\Windows
C:\Windows\System32\sc.*
C:\Windows\System32\sc.COM
C:\Windows\System32\sc.exe
C:\Windows\System32\powershell.*
C:\Windows\System32\powershell
C:\Windows\powershell.*
C:\Windows\powershell
C:\Windows\System32\wbem\powershell.*
C:\Windows\System32\wbem\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.*
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.COM
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
\Device\KsecDD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
\??\MountPointManager
::\
::\{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
::\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::\{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
::\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\Desktop
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\DosDevices\pipe\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\
C:\Windows\System32\windowspowershell\v1.0\powershell_ise.exe
C:\Windows\SysWOW64\windowspowershell
C:\Windows\System32\WindowsPowerShell
C:\Windows\System32\WindowsPowerShell\v1.0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\hh.exe
C:\Windows\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B1BX536UG036N2TANTU.temp
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1c511d8fad78ad3c5213b2b4fb02b8b\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4436815b432c313255af322f4ec3560d\System.Management.Automation.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
C:\Windows\System32\l_intl.nls
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\fbc05b5b05dc6366b02b8e2f77d080f1\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4f68cd04686e5dc5a55070d112d44bdf\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI
C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f02737c83305687a68c088927a6c5a98\System.Configuration.Install.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\ee28a075665b6bc23b6dae56903d431d\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad18f93fc713db2c4b29b25116c13bd8\System.Transactions.ni.dll
C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI
C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3008a05e2928e2c1d856cc34e0422c17\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8df695fb80187f65208d87229e81e8a2\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8ce205027e30804d1b2deaffa0582735\Microsoft.PowerShell.Security.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
C:\Windows\Globalization\en.nlp
C:\Windows\assembly\GAC_32\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\45ec12795950a7d54691591c615a9e3c\System.DirectoryServices.ni.dll
C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI
C:\Windows\assembly\GAC_32\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\System32\tzres.dll
C:\Windows\assembly\GAC_32\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.exe
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\secur32.dll
C:\Windows\assembly\GAC_32\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\System.Data.ni.dll
C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
C:\Users\user\Documents\WindowsPowerShell\profile.ps1
C:\Users\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
C:\Windows\System32\Set-MpPreference.ps1
C:\Windows\System32\Set-MpPreference.psm1
C:\Windows\System32\Set-MpPreference.psd1
C:\Windows\System32\Set-MpPreference.COM
C:\Windows\System32\Set-MpPreference.EXE
C:\Windows\System32\Set-MpPreference.BAT
C:\Windows\System32\Set-MpPreference.CMD
C:\Windows\System32\Set-MpPreference.VBS
C:\Windows\System32\Set-MpPreference.VBE
C:\Windows\System32\Set-MpPreference.JS
C:\Windows\System32\Set-MpPreference.JSE
C:\Windows\System32\Set-MpPreference.WSF
C:\Windows\System32\Set-MpPreference.WSH
C:\Windows\System32\Set-MpPreference.MSC
C:\Windows\System32\Set-MpPreference
C:\Windows\Set-MpPreference.ps1
C:\Windows\Set-MpPreference.psm1
C:\Windows\Set-MpPreference.psd1
C:\Windows\Set-MpPreference.COM
C:\Windows\Set-MpPreference.EXE
C:\Windows\Set-MpPreference.BAT
C:\Windows\Set-MpPreference.CMD
C:\Windows\Set-MpPreference.VBS
C:\Windows\Set-MpPreference.VBE
C:\Windows\Set-MpPreference.JS
C:\Windows\Set-MpPreference.JSE
C:\Windows\Set-MpPreference.WSF
C:\Windows\Set-MpPreference.WSH
C:\Windows\Set-MpPreference.MSC
C:\Windows\Set-MpPreference
C:\Windows\System32\wbem\Set-MpPreference.ps1
C:\Windows\System32\wbem\Set-MpPreference.psm1
C:\Windows\System32\wbem\Set-MpPreference.psd1
C:\Windows\System32\wbem\Set-MpPreference.COM
C:\Windows\System32\wbem\Set-MpPreference.EXE
C:\Windows\System32\wbem\Set-MpPreference.BAT
C:\Windows\System32\wbem\Set-MpPreference.CMD
C:\Windows\System32\wbem\Set-MpPreference.VBS
C:\Windows\System32\wbem\Set-MpPreference.VBE
C:\Windows\System32\wbem\Set-MpPreference.JS
C:\Windows\System32\wbem\Set-MpPreference.JSE
C:\Windows\System32\wbem\Set-MpPreference.WSF
C:\Windows\System32\wbem\Set-MpPreference.WSH
C:\Windows\System32\wbem\Set-MpPreference.MSC
C:\Windows\System32\wbem\Set-MpPreference
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.psm1
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.psd1
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.COM
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.BAT
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.CMD
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.VBS
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.VBE
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.JS
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.JSE
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.WSF
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.WSH
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference.MSC
C:\Windows\System32\WindowsPowerShell\v1.0\Set-MpPreference
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb
C:\Windows\symbols\dll\System.Management.Automation.pdb
C:\Windows\dll\System.Management.Automation.pdb
C:\Windows\System.Management.Automation.pdb
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1828.35202324
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1828.35202324
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1828.35202324
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\corona.mor
\Device\KsecDD
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
\??\PIPE\srvsvc
C:\Windows
C:\Windows\System32
C:\Windows\System32\WindowsPowerShell
C:\Windows\System32\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B1BX536UG036N2TANTU.temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1c511d8fad78ad3c5213b2b4fb02b8b\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4436815b432c313255af322f4ec3560d\System.Management.Automation.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\fbc05b5b05dc6366b02b8e2f77d080f1\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4f68cd04686e5dc5a55070d112d44bdf\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f02737c83305687a68c088927a6c5a98\System.Configuration.Install.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\ee28a075665b6bc23b6dae56903d431d\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad18f93fc713db2c4b29b25116c13bd8\System.Transactions.ni.dll
C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3008a05e2928e2c1d856cc34e0422c17\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8df695fb80187f65208d87229e81e8a2\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8ce205027e30804d1b2deaffa0582735\Microsoft.PowerShell.Security.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\45ec12795950a7d54691591c615a9e3c\System.DirectoryServices.ni.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\System32\tzres.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\System.Data.ni.dll
C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb
C:\Windows\symbols\dll\System.Management.Automation.pdb
C:\Windows\dll\System.Management.Automation.pdb
C:\Windows\System.Management.Automation.pdb
C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B1BX536UG036N2TANTU.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B1BX536UG036N2TANTU.temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1828.35202324
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1828.35202324
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1828.35202324
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
DisableNotifications
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_CLASSES_ROOT\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\UserChoice
HKEY_CLASSES_ROOT\lnkfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_CLASSES_ROOT\SystemFileAssociations\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\Start_TrackProgs
HKEY_CLASSES_ROOT\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_CLASSES_ROOT\Applications\powershell.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Transactions,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Runtime__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Utility__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2b1373f4\4f4f14cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3e571dbb\41bddfc6
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\PSMODULEPATH
HKEY_CURRENT_USER\Environment
HKEY_CURRENT_USER\Environment\PSMODULEPATH
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a94d4ab\5a294d6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\HardwareEvents
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Internet Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Key Management Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Media Center
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Media Center\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\OAlerts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Windows PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Windows PowerShell\PowerShell
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\20fe3c1a\56aa3966
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_CURRENT_USER\Control Panel\Desktop\LanguageConfiguration
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Transactions,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73\MissingDependencies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\PSMODULEPATH
HKEY_CURRENT_USER\Environment\PSMODULEPATH
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
DisableAntiSpyware
DisableNotifications
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
kernel32.dll.SetProcessDEPPolicy
kernel32.dll.VirtualAlloc
kernel32.dll.ExitProcess
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
cryptbase.dll.SystemFunction036
ole32.dll.CoCreateInstance
shell32.dll.#66
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetMalloc
ole32.dll.CoInitializeEx
ole32.dll.CreateBindCtx
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
comctl32.dll.#386
ole32.dll.CoUninitialize
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#385
comctl32.dll.#336
comctl32.dll.#321
comctl32.dll.#329
comctl32.dll.#333
ntdll.dll.RtlDllShutdownInProgress
propsys.dll.PSCreateMemoryPropertyStore
sechost.dll.ConvertSidToStringSidW
profapi.dll.#104
linkinfo.dll.CreateLinkInfoW
user32.dll.IsCharAlphaW
user32.dll.CharPrevW
ntshrui.dll.GetNetResourceFromLocalPathW
srvcli.dll.NetShareEnum
cscapi.dll.CscNetApiGetInterface
slc.dll.SLGetWindowsInformationDWORD
shlwapi.dll.PathRemoveFileSpecW
linkinfo.dll.DestroyLinkInfo
propsys.dll.PropVariantToBoolean
ole32.dll.PropVariantClear
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
oleaut32.dll.#500
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll.CorBindToRuntimeEx
shlwapi.dll.UrlIsW
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll.DllGetClassObjectInternal
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
mscoree.dll._CorExeMain
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
oleaut32.dll.#149
kernel32.dll.GetUserDefaultUILanguage
oleaut32.dll.#9
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
kernel32.dll.lstrcpy
kernel32.dll.lstrcpyW
version.dll.VerLanguageNameW
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.GetModuleFileNameExW
kernel32.dll.GetExitCodeProcess
ntdll.dll.NtQuerySystemInformation
user32.dll.EnumWindows
user32.dll.GetWindowThreadProcessId
kernel32.dll.WerSetFlags
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.GetEnvironmentVariableW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
ole32.dll.CoCreateGuid
kernel32.dll.CreateFileW
kernel32.dll.GetConsoleScreenBufferInfo
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
mscoree.dll.ND_RI4
mscoreei.dll.ND_RI4
advapi32.dll.DuplicateTokenEx
advapi32.dll.CheckTokenMembership
kernel32.dll.GetConsoleTitleW
kernel32.dll.SetConsoleTitleW
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.CreateEventW
ntdll.dll.WinSqmIsOptedIn
kernel32.dll.ExpandEnvironmentStringsW
shfolder.dll.SHGetFolderPathW
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetFileType
kernel32.dll.ReadFile
kernel32.dll.GetSystemInfo
kernel32.dll.VirtualQuery
kernel32.dll.GlobalMemoryStatusEx
secur32.dll.GetUserNameExW
advapi32.dll.GetUserNameW
kernel32.dll.ReleaseMutex
advapi32.dll.RegisterEventSourceW
advapi32.dll.DeregisterEventSource
advapi32.dll.ReportEventW
kernel32.dll.GetLogicalDrives
kernel32.dll.GetDriveTypeW
kernel32.dll.GetVolumeInformationW
kernel32.dll.GetCurrentDirectoryW
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
kernel32.dll.GetLastError
mscorjit.dll.getJit
kernel32.dll.GetStdHandle
kernel32.dll.GetConsoleMode
kernel32.dll.SetEvent
kernel32.dll.SwitchToThread
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
mscoree.dll.DllGetClassObject
mscoreei.dll.DllGetClassObject
diasymreader.dll.DllGetClassObjectInternal
kernel32.dll.GetConsoleOutputCP
gdi32.dll.TranslateCharsetInfo
kernel32.dll.SetConsoleTextAttribute
kernel32.dll.WriteConsoleW
mscoree.dll.CorExitProcess
mscoreei.dll.CorExitProcess
mscorwks.dll.CorExitProcess
mscorwks.dll._CorDllMain
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
netutils.dll.NetApiBufferFree
"C:\Users\user\AppData\Local\Temp\corona.mor"
C:\Windows\system32\cmd.exe /c sc stop WinDefend
C:\Windows\system32\cmd.exe /c sc delete WinDefend
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
sc delete WinDefend
powershell Set-MpPreference -DisableRealtimeMonitoring $true
sc stop WinDefend
Global\CLR_CASOFF_MUTEX

PE Information

Image Base 0x00400000
Entry Point 0x0040b427
Reported Checksum 0x00065234
Actual Checksum 0x00065234
Minimum OS Version 5.0
Compile Time 2019-02-08 17:38:28
Import Hash 6e2e60f8ba26f912ea4215781361b8f2

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000104c9 0x00010600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.23
.rdata 0x00012000 0x0004a18c 0x0004a200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.23
.data 0x0005d000 0x0001cc1c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.10
.rsrc 0x0007a000 0x00003278 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.56

Overlay

Offset 0x0005f000
Size 0x00001340

Imports

Library USER32.dll:
0x412310 FindWindowA
0x412314 GetClassNameA
0x412318 LoadStringA
0x41231c EnumWindows
0x412320 SetWindowsHookExA
0x412324 MessageBoxIndirectW
0x412328 DialogBoxParamW
0x41232c PostMessageA
0x412330 EnableScrollBar
0x412334 CallWindowProcA
0x412338 PeekMessageA
0x41233c IsDialogMessageA
0x412340 DispatchMessageA
0x412344 SetWindowLongA
0x412348 CreateDialogParamW
0x41234c GetWindowLongA
0x412350 GetWindowTextA
0x412354 LoadImageA
0x412358 SendMessageA
0x41235c EnumDisplayMonitors
0x412360 GetMonitorInfoA
0x412364 KillTimer
0x412368 SetTimer
0x41236c CharNextW
0x412370 PostThreadMessageW
0x412374 CharUpperW
0x412378 UnregisterClassW
0x41237c LoadCursorW
0x412380 GetSysColorBrush
0x412384 MessageBeep
0x412388 GetNextDlgGroupItem
0x412390 MapDialogRect
0x412394 ReleaseCapture
0x412398 SetCapture
0x41239c InvalidateRgn
0x4123a0 InvalidateRect
0x4123a4 SetRect
0x4123a8 IsRectEmpty
0x4123b0 EndPaint
0x4123b4 ReleaseDC
0x4123b8 GetDC
0x4123bc ClientToScreen
0x4123c0 GrayStringW
0x4123c4 DrawTextExW
0x4123c8 DrawTextW
0x4123cc TabbedTextOutW
0x4123d0 FillRect
0x4123d4 ShowWindow
0x4123d8 MoveWindow
0x4123dc IsDialogMessageW
0x4123e0 IsDlgButtonChecked
0x4123e4 SetDlgItemTextW
0x4123e8 GetDlgItemTextW
0x4123ec CheckDlgButton
0x4123f0 SendDlgItemMessageW
0x4123f4 SendDlgItemMessageA
0x4123f8 WinHelpW
0x4123fc GetClassLongW
0x412400 SetPropW
0x412404 GetPropW
0x412408 RemovePropW
0x41240c UnregisterClassA
0x412410 GetWindowTextW
0x412418 EnumThreadWindows
0x41241c SendMessageW
0x412420 EnableWindow
0x412424 GetTopWindow
0x412428 GetMessageTime
0x41242c GetMessagePos
0x412430 MapWindowPoints
0x412434 ScrollWindow
0x412438 SetScrollRange
0x41243c GetScrollRange
0x412440 SetScrollPos
0x412444 GetScrollPos
0x412448 UpdateWindow
0x41244c GetMenu
0x412450 GetClassInfoExW
0x412454 GetClassInfoW
0x412458 RegisterClassW
0x41245c GetSysColor
0x412460 AdjustWindowRectEx
0x412464 EqualRect
0x412468 CopyRect
0x41246c PtInRect
0x412470 GetDlgCtrlID
0x412474 DefWindowProcW
0x412478 OffsetRect
0x41247c IntersectRect
Library KERNEL32.dll:
0x412000 FreeConsole
0x412004 RtlUnwind
0x412008 OutputDebugStringW
0x41200c LoadLibraryExW
0x412010 LCMapStringEx
0x412014 FlsFree
0x412018 FlsSetValue
0x41201c FlsGetValue
0x412020 FlsAlloc
0x412024 GetTickCount64
0x41202c InitOnceExecuteOnce
0x412034 GetModuleHandleExW
0x412040 DecodePointer
0x412044 EncodePointer
0x412048 IsDebuggerPresent
0x41204c ResumeThread
0x412050 GlobalAddAtomW
0x412054 GetCurrentProcessId
0x41205c RaiseException
0x412060 FreeResource
0x412064 GetVersionExA
0x412068 LoadLibraryA
0x41206c CompareStringW
0x412070 GlobalFindAtomW
0x412074 TlsGetValue
0x412078 GlobalReAlloc
0x41207c GlobalHandle
0x412080 TlsAlloc
0x412084 TlsSetValue
0x412088 LocalReAlloc
0x41208c TlsFree
0x412090 GlobalFlags
0x412094 MoveFileW
0x412098 LockFile
0x41209c UnlockFile
0x4120a0 SetEndOfFile
0x4120a4 DuplicateHandle
0x4120a8 GetFullPathNameW
0x4120b0 lstrlenA
0x4120b4 GetFileTime
0x4120b8 HeapFree
0x4120bc HeapAlloc
0x4120c4 GetStartupInfoW
0x4120c8 TerminateProcess
0x4120d4 HeapReAlloc
0x4120d8 SetStdHandle
0x4120dc GetFileType
0x4120e0 ExitProcess
0x4120e4 ExitThread
0x4120e8 CreateThread
0x4120ec VirtualProtect
0x4120f0 VirtualAlloc
0x4120f4 VirtualQuery
0x4120f8 HeapSize
0x4120fc GetModuleFileNameA
0x412110 GetCommandLineA
0x412114 SetHandleCount
0x412118 HeapDestroy
0x41211c HeapCreate
0x412120 VirtualFree
0x412128 GetCPInfo
0x41212c GetOEMCP
0x412130 Sleep
0x412134 LCMapStringA
0x412138 LCMapStringW
0x412140 GetConsoleCP
0x412144 GetConsoleMode
0x412148 GetLocaleInfoA
0x41214c GetProcAddress
0x412150 GetModuleHandleA
0x412154 GetProcessHeap
0x412160 ReleaseSemaphore
0x412164 CreateSemaphoreA
0x412168 GetShortPathNameW
0x41216c CloseHandle
0x412170 GetFileSizeEx
0x412174 CreateFileW
0x412178 CopyFileW
0x41217c FlushFileBuffers
0x412180 WriteFile
0x412184 GetSystemTime
0x412188 WaitForSingleObject
0x41218c GetLastError
0x412190 CreateMutexW
0x412194 WideCharToMultiByte
0x412198 GetACP
0x41219c MultiByteToWideChar
0x4121a0 GetDiskFreeSpaceExW
0x4121a4 GetDriveTypeW
0x4121a8 GetFileAttributesW
0x4121ac DeleteFileW
0x4121b0 SetFileAttributesW
0x4121bc SetErrorMode
0x4121c0 lstrcpyW
0x4121c8 GetTempPathW
0x4121cc ReadFile
0x4121d0 GetFileSize
0x4121d4 GetDriveTypeA
0x4121dc FindNextFileW
0x4121e0 FreeLibrary
0x4121e4 LoadResource
0x4121e8 FindResourceExW
0x4121ec LoadLibraryW
0x4121f0 GetModuleFileNameW
0x4121f4 ReleaseMutex
0x4121f8 SetLastError
0x412200 GetTempFileNameW
0x412204 SizeofResource
0x412208 GetThreadLocale
0x41220c LocalFree
0x412210 LocalAlloc
0x412214 GetCurrentProcess
0x412218 GetCurrentThread
0x41221c GetVersionExW
0x412220 FormatMessageW
0x412224 lstrcatW
0x41222c GetCommandLineW
0x412230 GetStdHandle
0x41223c GetSystemInfo
0x412248 CreateDirectoryW
0x41224c GetTickCount
0x412250 RemoveDirectoryW
0x412254 GlobalUnlock
0x412258 GlobalLock
0x41225c FindResourceW
0x412260 GetExitCodeProcess
0x412264 CreateProcessW
0x412268 GetSystemDirectoryW
0x41227c GetCurrentThreadId
0x412280 SetFilePointerEx
0x412284 SetFilePointer
0x412288 MulDiv
0x41228c GlobalAlloc
0x412290 GlobalFree
0x412294 GetModuleHandleW
0x412298 GlobalDeleteAtom
0x41229c lstrcmpW
0x4122a0 CompareStringA
0x4122a4 GetLocaleInfoW
0x4122a8 lstrcmpA
0x4122b0 GetVersion
0x4122b4 CreateMutexA
0x4122b8 GetStringTypeExA
0x4122bc GetLogicalDrives
0x4122c4 CreateEventA
0x4122c8 PulseEvent
0x4122cc OutputDebugStringA
0x4122d0 GetFullPathNameA
0x4122d4 LockFileEx
0x4122d8 GetTempPathA
0x4122dc GetFileAttributesA
0x4122e0 DeleteFileA
0x4122e8 CreateFileA
0x4122ec WriteConsoleW
0x4122f0 WriteConsoleA
0x4122f4 GetStringTypeW
0x4122f8 GetStringTypeA
0x4122fc IsValidCodePage
0x412300 IsValidLocale
0x412304 GetDateFormatA
0x412308 GetTimeFormatA

.text
`.rdata
@.data
.rsrc
9=l~G
SVWUj
L\vAa
e@]Zd
ZK8z9W
k_kS4
lAGv{
9['TA
0>H;2
IB]o<
./P4j
67QMRT
s66Ze
`)M;1QJ
,1jVR
j#N4J2
8RtA<
k!{2U?
wD>pY
Ko#}!
5+JpJ
/7F0u
BvO2g
LOs!t
~*GEu
Sa,b$F=
+c7Kg?
5;YH#a
{WC5D
V8_PDa
[\qSzU
@#1$v
#@iYd
:)"3s
D=QX!
u|V#1
rZCS3]
$Ca0y
3;8T;
;#u[;<
/L@EXJ
zrX%o
/`=cOw
scNi'
qw+u1
'LrA&
6f6:_
BFxe84
37bHq
4V*-+
OSFm\
}MqLp
bqz0C
D~xsz
2Fw^h
=)T;H(~n
MmhQJ
ESon)
y6:{U
$gJ#P
Those Who Will Not Learn From History
THOSE WHO WILL NOT LEARN FROM their mistakes
This example copies two strings that each contain a substring of 29 characters
This example copies two strings that each contain a substring of 29 characters
greater than
less than
equal to
greater than
less than
equal to
Kernel32.dll
SetProcessDEPPolicy
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
CorExitProcess
GetCurrentPackageId
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
SystemParametersInfoA
IntersectRect
OffsetRect
DefWindowProcW
GetDlgCtrlID
PtInRect
CopyRect
EqualRect
AdjustWindowRectEx
GetSysColor
RegisterClassW
GetClassInfoW
GetClassInfoExW
GetMenu
UpdateWindow
GetScrollPos
SetScrollPos
GetScrollRange
SetScrollRange
ScrollWindow
MapWindowPoints
GetMessagePos
GetMessageTime
GetTopWindow
EnableWindow
SendMessageW
EnumThreadWindows
GetWindowTextLengthW
GetWindowTextW
UnregisterClassA
RemovePropW
GetPropW
SetPropW
GetClassLongW
WinHelpW
SendDlgItemMessageA
SendDlgItemMessageW
CheckDlgButton
GetDlgItemTextW
SetDlgItemTextW
IsDlgButtonChecked
IsDialogMessageW
MoveWindow
ShowWindow
FillRect
TabbedTextOutW
DrawTextW
DrawTextExW
GrayStringW
ClientToScreen
GetDC
ReleaseDC
EndPaint
CopyAcceleratorTableW
IsRectEmpty
SetRect
InvalidateRect
InvalidateRgn
SetCapture
ReleaseCapture
MapDialogRect
SetWindowContextHelpId
GetNextDlgGroupItem
MessageBeep
GetSysColorBrush
LoadCursorW
UnregisterClassW
CharUpperW
PostThreadMessageW
CharNextW
SetTimer
KillTimer
GetMonitorInfoA
EnumDisplayMonitors
SendMessageA
LoadImageA
GetWindowTextA
GetWindowLongA
CreateDialogParamW
SetWindowLongA
DispatchMessageA
IsDialogMessageA
PeekMessageA
CallWindowProcA
EnableScrollBar
PostMessageA
DialogBoxParamW
MessageBoxIndirectW
SetWindowsHookExA
EnumWindows
LoadStringA
GetClassNameA
FindWindowA
USER32.dll
GetProcAddress
GetModuleHandleA
GetProcessHeap
GetCurrentDirectoryA
SetEnvironmentVariableW
ReleaseSemaphore
CreateSemaphoreA
GetShortPathNameW
CloseHandle
GetFileSizeEx
CreateFileW
CopyFileW
FlushFileBuffers
WriteFile
GetSystemTime
WaitForSingleObject
GetLastError
CreateMutexW
WideCharToMultiByte
GetACP
MultiByteToWideChar
GetDiskFreeSpaceExW
GetDriveTypeW
GetFileAttributesW
DeleteFileW
SetFileAttributesW
SetCurrentDirectoryW
GetVolumeInformationW
SetErrorMode
lstrcpyW
GetCurrentDirectoryW
GetTempPathW
ReadFile
GetFileSize
GetDriveTypeA
GetLogicalDriveStringsA
FindNextFileW
FreeLibrary
LoadResource
FindResourceExW
LoadLibraryW
GetModuleFileNameW
ReleaseMutex
SetLastError
GetUserDefaultLangID
GetTempFileNameW
SizeofResource
GetThreadLocale
LocalFree
LocalAlloc
GetCurrentProcess
GetCurrentThread
GetVersionExW
FormatMessageW
lstrcatW
GetFileAttributesExW
FreeConsole
GetCommandLineW
GetStdHandle
GlobalMemoryStatusEx
IsProcessorFeaturePresent
GetSystemInfo
GetSystemWindowsDirectoryW
GetLogicalDriveStringsW
CreateDirectoryW
GetTickCount
RemoveDirectoryW
GlobalUnlock
GlobalLock
FindResourceW
GetExitCodeProcess
CreateProcessW
GetSystemDirectoryW
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
SetFilePointerEx
SetFilePointer
MulDiv
GlobalAlloc
GlobalFree
GetModuleHandleW
GlobalDeleteAtom
lstrcmpW
CompareStringA
GetLocaleInfoW
lstrcmpA
EnumResourceLanguagesW
GetVersion
CreateMutexA
GetStringTypeExA
GetLogicalDrives
QueryPerformanceFrequency
CreateEventA
PulseEvent
OutputDebugStringA
GetFullPathNameA
LockFileEx
GetTempPathA
GetFileAttributesA
DeleteFileA
SetEnvironmentVariableA
CreateFileA
WriteConsoleW
WriteConsoleA
GetStringTypeW
GetStringTypeA
IsValidCodePage
IsValidLocale
GetDateFormatA
GetTimeFormatA
GetLocaleInfoA
GetConsoleMode
GetConsoleCP
GetTimeZoneInformation
LCMapStringW
LCMapStringA
Sleep
GetOEMCP
GetCPInfo
QueryPerformanceCounter
VirtualFree
HeapCreate
HeapDestroy
SetHandleCount
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetModuleFileNameA
HeapSize
VirtualQuery
VirtualAlloc
VirtualProtect
CreateThread
ExitThread
ExitProcess
GetFileType
SetStdHandle
HeapReAlloc
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
ConvertDefaultLocale
HeapAlloc
HeapFree
GetFileTime
lstrlenA
FileTimeToSystemTime
GetFullPathNameW
DuplicateHandle
SetEndOfFile
UnlockFile
LockFile
MoveFileW
GlobalFlags
TlsFree
LocalReAlloc
TlsSetValue
TlsAlloc
GlobalHandle
GlobalReAlloc
TlsGetValue
GlobalFindAtomW
CompareStringW
LoadLibraryA
GetVersionExA
FreeResource
RaiseException
WritePrivateProfileStringW
GetCurrentProcessId
GlobalAddAtomW
ResumeThread
IsDebuggerPresent
EncodePointer
DecodePointer
InterlockedIncrement
InterlockedDecrement
GetModuleHandleExW
InitializeCriticalSectionAndSpinCount
InitOnceExecuteOnce
GetSystemTimeAsFileTime
GetTickCount64
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringEx
LoadLibraryExW
OutputDebugStringW
RtlUnwind
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
33333333330
33333333330
3333330
333330
33330
33330
333330
3333330
33333333330
33333333330
333333330
333333330
333333330
333333330
333333330
333333330
Eja-JP
zh-CN
ko-KR
zh-TW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
mscoree.dll
runtime error
Program:
<program name unknown>
Microsoft Visual C++ Runtime Library
dkernel32.dll
USER32.DLL
nCONOUT$
IDC_FINGER
MS Shell Dlg
SafeDisc
SecuROM
LaserLock
Hide CD-R
ModelMaker 6.20 Trial Edition(Bold for Delphi Revision 4 Trial Edition
Setup not found
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Right
&Retry
Menu index out of range
Scan line index out of range!Cannot change the size of an icon
List index out of bounds (%d)
Bits index out of range
Assertion failed
Write
Integer overflow Invalid floating point operation
This file is not on VirusTotal.

Process Tree


corona.mor, PID: 3008, Parent PID: 2592
Full Path: C:\Users\user\AppData\Local\Temp\corona.mor
Command Line: "C:\Users\user\AppData\Local\Temp\corona.mor"
corona.mor, PID: 828, Parent PID: 3008
Full Path: C:\Users\user\AppData\Local\Temp\corona.mor
Command Line: "C:\Users\user\AppData\Local\Temp\corona.mor"
cmd.exe, PID: 1664, Parent PID: 828
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: /c sc delete WinDefend
cmd.exe, PID: 1732, Parent PID: 828
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmd.exe, PID: 2288, Parent PID: 828
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: /c sc stop WinDefend
cpspoa.mor, PID: 1988, Parent PID: 828
Full Path: C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
Command Line: C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
powershell.exe, PID: 1828, Parent PID: 1732
Full Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Command Line: powershell Set-MpPreference -DisableRealtimeMonitoring $true
sc.exe, PID: 3064, Parent PID: 2288
Full Path: C:\Windows\SysWOW64\sc.exe
Command Line: sc stop WinDefend
sc.exe, PID: 860, Parent PID: 1664
Full Path: C:\Windows\SysWOW64\sc.exe
Command Line: sc delete WinDefend
cpspoa.mor, PID: 2860, Parent PID: 1988
Full Path: C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
Command Line: C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name cpspoa.mor
Associated Filenames
C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
File Size 394048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4c828e6887c195250b3ac3b702bf61ac
SHA1 1a638b7c5cc88945c44668d59849cbb0eee6463b
SHA256 e30f1ea0b6e3b7fa083270a1de65103b54ee7c78049282ae17060435dfbee051
CRC32 348E07E5
Ssdeep 6144:3XR8wObqRyN8tc7rmr4vkU4FWJkcby0I8IdUZTm+m9PG9+BeDHGFm:3BQKc7rUEyWdI8ISlCBIIm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 6B1BX536UG036N2TANTU.temp
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B1BX536UG036N2TANTU.temp
File Size 4096 bytes
File Type data
MD5 503b7c9ab21f5ccdf7a6ff64a832370f
SHA1 74c3f9d70033bfc05bfe6214f7c7398f265090dd
SHA256 d1944d03b2b1dac1befd14a433268675872689499eb197feef451813a78618ae
CRC32 FE3B79D4
Ssdeep 96:sqCUdMqY4+qvsqvJCwor1aqCUdMqY4+qvsEHyqvJCwoM:sE1or1aEdHnoM
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name d93f411851d7c929.customDestinations-ms
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
File Size 8016 bytes
File Type data
MD5 f8104f5d62836f29dca48ceb06b4ebd0
SHA1 e10723eff0de6661d67e85d9805107437b5ee77f
SHA256 75c6580eccefafd395b7c3bc45d905e55109fc92caadb9d73fffd4a64dcf402a
CRC32 B1E44588
Ssdeep 96:sqCUdMqY4+qvsqvJCwor1aqCUdMqY4+qvsEHyqvJCwort1dCD3mbH8YBxCXAlUV/:sE1or1aEdHnort1dCrYBxClFf
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Type Extracted Shellcode
Size 286720 bytes
Virtual Address 0x3510000
Process corona.mor
PID 3008
Path C:\Users\user\AppData\Local\Temp\corona.mor
MD5 17d986478fcd051aadb2b8117f130408
SHA1 574ac91c4206af2c41090c7a41d4053a676cbcaf
SHA256 ca40493cc94d4e5d98270a2ddda2dc89b060e3bbc616773f4df10586aa5c62c7
CRC32 87F6E55B
Ssdeep 3072:jDZmvLA1+uZQFeg33u5n7VzfzOnDO0D8az6jRtxIymMqD1bxzyrwDVNG:nZ4LA1BaHgn7oD54VjRtiyYNcJ
Yara
  • shellcode - Matched shellcode byte patterns
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 166912 bytes
Virtual Address 0x3560000
Process corona.mor
PID 3008
Path C:\Users\user\AppData\Local\Temp\corona.mor
MD5 317856c8eacf619b9637ec18597d4902
SHA1 7c3bc22cbd9f06376882c27e9a781e703f0cb804
SHA256 d7721cd9a281b3efbf640400a6e4c304d2f1cbae8c3fbff6f4df7640dcb4ae35
CRC32 EEFC3C2B
Ssdeep 3072:xeSsnd+ns956O0VkC9OZO3IY5WT5xmSZFCZEtZ2z01QHxcntG++rDeyqlJ4HJ3Hp:xAEseO0uC9YwIJvHjvZ2yZnt7LMHFH+U
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 8192 bytes
Virtual Address 0x3f0000
Process corona.mor
PID 3008
Path C:\Users\user\AppData\Local\Temp\corona.mor
MD5 6539d8d48bd6ed57fceba840fe565f66
SHA1 49efe4158d5dc876b7c409b95f92980667cd9206
SHA256 7ebe215dd1528138b1b994f664f136101ae452641173e79c51df23f1a5c9f3a7
CRC32 52B4E142
Ssdeep 192:DV0hpP3aXDxJkzv17yP8f1OGsg6hpApnxfD478SzI/Yv1:DV0DP3aT30Dtsg6DApx88SzD
Yara
  • shellcode - Matched shellcode byte patterns
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 8192 bytes
Virtual Address 0x3fe0000
Process powershell.exe
PID 1828
Path C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
MD5 184334330feb37790083e20b6806dd3a
SHA1 00ac157522c1748bcfbec0087c211e7706555377
SHA256 a51b8e52f5b2a1794eeee233058b4af033c9edbb479d4aef6aa90c3f7b095e64
CRC32 EC1AABA5
Ssdeep 48:lWCkBbLABSpL3IYa8bg/Zc9cKMHEwEX+d9MBKH6g9YgsExr6uOyO2:lkBVpEl6cJKPwEOdCeYgnKyN
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 16384 bytes
Virtual Address 0x4040000
Process powershell.exe
PID 1828
Path C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
MD5 197ff09f84e83358649fbf25b26076b5
SHA1 aa274f7929f0867a8edc49c40e59eab36387a14c
SHA256 a240ea52ae3a58a640c0f9453082f235dd0fd35958b8f566dc86e685c6c5e78b
CRC32 7465F02B
Ssdeep 96:T8LVBvzPoJUscYbPszq9Rg1l8I5tkoue5g8unwjvgKlA59thvMi8IohTTHKsK1H4:Ux2zgzUCUouekw+9thvMi1eTbeY8
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit executable
Size 115200 bytes
Virtual Address 0x3e0000
Process cpspoa.mor
PID 2860
Path C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
MD5 8dd7d272ee4a18edca830571a0539de1
SHA1 5262a8831850cbdb1c8c845c880fad49dd5d2f3b
SHA256 597f8b14927c9b8f10b8ae204bd27b1e22a8d00a52fbaddcd4c55de31c346a1f
CRC32 69C303C0
Ssdeep 3072:G6hibrqX9uXFfuoNE6wYPGTkg6mLtH+jYURXNPY:/UMoNTR6kzsJeR9P
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit executable
Size 13358 bytes
Virtual Address 0x530000
Process cpspoa.mor
PID 2860
Path C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
MD5 50324cd3b3dcb78fdda0b41f103883e1
SHA1 4f47e649bf7e34afcb08e1cc655b3db4dc4ce60b
SHA256 dfaa0994944a19ae8a0ffae96859bfa0b3c43200bb69765f8f3c97d802770f90
CRC32 128EDD7D
Ssdeep 192:zrnm1vAuKDn7PKm3XOHfEhIbrc3vCBWHRqTMUFLVXCaHTrtRHcurEzUo:PngKnKBMhIbrYmAqwUFQaXtlcQe
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit executable
Size 14336 bytes
Virtual Address 0x10000000
Process cpspoa.mor
PID 2860
Path C:\Users\user\AppData\Roaming\cleanmem\cpspoa.mor
MD5 19e3559055592298d51e1fbe439e4b58
SHA1 54720286e3f94e277baf563cf85f1ed24164a381
SHA256 cd33c0241b2f4e76a2c87ebe00136b64d46f6b0c85d0f67581273b3400a8da8f
CRC32 7E685B0B
Ssdeep 192:+nm1vAuKDn7PKm3XOHfEhIbrc3vCBWHRqTMUFLVXCaHTrtBHcuLEzU:+ngKnKBMhIbrYmAqwUFQaXtVcA
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 4.635 seconds )

  • 2.263 BehaviorAnalysis
  • 1.211 CAPE
  • 0.312 Static
  • 0.304 Dropped
  • 0.273 TargetInfo
  • 0.128 TrID
  • 0.099 Deduplicate
  • 0.028 Strings
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.003 config_decoder
  • 0.002 Debug

Signatures ( 1.003 seconds )

  • 0.125 stealth_timeout
  • 0.108 PlugX
  • 0.1 antiav_detectreg
  • 0.088 decoy_document
  • 0.079 api_spamming
  • 0.039 infostealer_ftp
  • 0.036 Doppelganging
  • 0.028 injection_createremotethread
  • 0.027 InjectionCreateRemoteThread
  • 0.022 injection_runpe
  • 0.022 infostealer_im
  • 0.021 InjectionProcessHollowing
  • 0.021 antianalysis_detectreg
  • 0.019 InjectionInterProcess
  • 0.017 infostealer_mail
  • 0.015 antiav_detectfile
  • 0.012 antivm_generic_scsi
  • 0.01 recon_programs
  • 0.01 mimics_filetime
  • 0.01 antivm_generic_disk
  • 0.01 antivm_vbox_keys
  • 0.01 infostealer_bitcoin
  • 0.008 reads_self
  • 0.007 bootkit
  • 0.007 stealth_file
  • 0.007 virus
  • 0.007 antivm_vmware_keys
  • 0.007 recon_fingerprint
  • 0.006 kibex_behavior
  • 0.006 antivm_vbox_files
  • 0.005 antidebug_guardpages
  • 0.005 betabot_behavior
  • 0.005 antivm_parallels_keys
  • 0.005 antivm_xen_keys
  • 0.005 geodo_banking_trojan
  • 0.005 darkcomet_regkeys
  • 0.004 exploit_heapspray
  • 0.004 infostealer_browser
  • 0.004 antivm_generic_services
  • 0.004 persistence_autorun
  • 0.004 hancitor_behavior
  • 0.004 ransomware_files
  • 0.003 stack_pivot
  • 0.003 antiemu_wine_func
  • 0.003 infostealer_browser_password
  • 0.003 dynamic_function_loading
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_vpc_keys
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 shifu_behavior
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antidbg_devices
  • 0.002 browser_security
  • 0.001 lsass_credential_dumping
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 dyre_behavior
  • 0.001 antiav_avast_libs
  • 0.001 rat_luminosity
  • 0.001 exploit_getbasekerneladdress
  • 0.001 Locky_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 kazybot_behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 antivm_vbox_libs
  • 0.001 ipc_namedpipe
  • 0.001 exec_crash
  • 0.001 encrypted_ioc
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_xen_keys
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_devices
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 bypass_firewall
  • 0.001 codelux_behavior
  • 0.001 disables_browser_warn
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient

Reporting ( 0.075 seconds )

  • 0.075 CompressResults
Task ID 36413
Mongo ID 5c61c8b4f284883e41aea93d
Cuckoo release 1.3-CAPE
Delete