Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-02-11 19:35:57 2019-02-11 19:40:36 279 seconds Show Options Show Log
  • Error: The analysis hit the critical timeout, terminating.
route = internet
import_reconstruction = 1
procdump = 1
2019-02-11 19:35:58,000 [root] INFO: Date set to: 02-11-19, time set to: 19:35:58, timeout set to: 200
2019-02-11 19:35:58,015 [root] DEBUG: Starting analyzer from: C:\lfcen
2019-02-11 19:35:58,015 [root] DEBUG: Storing results at: C:\Gztvthc
2019-02-11 19:35:58,015 [root] DEBUG: Pipe server name: \\.\PIPE\kzbFIckT
2019-02-11 19:35:58,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-02-11 19:35:58,015 [root] INFO: Automatically selected analysis package "exe"
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Browser
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 19:35:58,404 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Human
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 19:35:58,404 [root] DEBUG: Started auxiliary module Usage
2019-02-11 19:35:58,404 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-02-11 19:35:58,404 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-02-11 19:35:58,576 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\masterblankov24.exe" with arguments "" with pid 2932
2019-02-11 19:35:58,576 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:35:58,576 [lib.api.process] INFO: 32-bit DLL to inject is C:\lfcen\dll\TKVGsShI.dll, loader C:\lfcen\bin\koVqBPu.exe
2019-02-11 19:35:58,624 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2932
2019-02-11 19:36:00,635 [lib.api.process] INFO: Successfully resumed process with pid 2932
2019-02-11 19:36:00,635 [root] INFO: Added new process to list with pid: 2932
2019-02-11 19:36:00,697 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:00,697 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:00,697 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:00,760 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2932 at 0x748b0000, image base 0x400000, stack from 0x186000-0x190000
2019-02-11 19:36:00,760 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\masterblankov24.exe".
2019-02-11 19:36:00,760 [root] INFO: Monitor successfully loaded in process with pid 2932.
2019-02-11 19:36:00,760 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-02-11 19:36:00,838 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:01,608 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-02-11 19:36:01,609 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-02-11 19:36:02,612 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-02-11 19:36:04,641 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-02-11 19:36:04,657 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2660
2019-02-11 19:36:04,657 [root] INFO: Added new process to list with pid: 2660
2019-02-11 19:36:04,657 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:36:04,657 [lib.api.process] INFO: 32-bit DLL to inject is C:\lfcen\dll\TKVGsShI.dll, loader C:\lfcen\bin\koVqBPu.exe
2019-02-11 19:36:04,671 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2660
2019-02-11 19:36:04,750 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:04,750 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:04,750 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:04,750 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:04,766 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2660 at 0x748b0000, image base 0x49d80000, stack from 0x1e3000-0x2e0000
2019-02-11 19:36:04,766 [root] DEBUG: Commandline: C:\Windows\System32\cmd.exe \C cscript \e:vbscript \nologo "C:\Users\user\AppData\Local\Temp\temp.txt".
2019-02-11 19:36:04,766 [root] INFO: Monitor successfully loaded in process with pid 2660.
2019-02-11 19:36:04,812 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-02-11 19:36:04,859 [root] INFO: Announced 32-bit process name: cscript.exe pid: 3052
2019-02-11 19:36:04,859 [root] INFO: Added new process to list with pid: 3052
2019-02-11 19:36:04,859 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:36:04,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\lfcen\dll\TKVGsShI.dll, loader C:\lfcen\bin\koVqBPu.exe
2019-02-11 19:36:04,859 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3052
2019-02-11 19:36:04,859 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:04,859 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:04,859 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:04,875 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:04,875 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3052 at 0x748b0000, image base 0x300000, stack from 0x2a6000-0x2b0000
2019-02-11 19:36:04,875 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cscript  \e:vbscript \nologo "C:\Users\user\AppData\Local\Temp\temp.txt".
2019-02-11 19:36:04,875 [root] INFO: Monitor successfully loaded in process with pid 3052.
2019-02-11 19:36:04,875 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-02-11 19:36:04,891 [root] DEBUG: DLL unloaded from 0x00300000.
2019-02-11 19:36:04,905 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-02-11 19:36:04,905 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-02-11 19:36:04,937 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\SysWOW64\vbscript (0x6b000 bytes).
2019-02-11 19:36:04,953 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-02-11 19:36:04,953 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-02-11 19:36:04,953 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-02-11 19:36:04,953 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-02-11 19:36:04,953 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-02-11 19:36:04,969 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-02-11 19:36:04,969 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-02-11 19:36:05,000 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-02-11 19:36:05,000 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-02-11 19:36:05,000 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-02-11 19:36:05,000 [root] DEBUG: DLL loaded at 0x744C0000: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip (0x9000 bytes).
2019-02-11 19:36:05,000 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-02-11 19:36:05,030 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2019-02-11 19:36:05,030 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2019-02-11 19:36:05,046 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2019-02-11 19:36:05,094 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2019-02-11 19:36:05,108 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2019-02-11 19:36:05,125 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-02-11 19:36:05,125 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-02-11 19:36:12,878 [root] INFO: Stopped WMI Service
2019-02-11 19:36:12,878 [root] INFO: Attaching to DcomLaunch service (pid 564)
2019-02-11 19:36:12,878 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-02-11 19:36:12,878 [lib.api.process] INFO: 64-bit DLL to inject is C:\lfcen\dll\oXvliPYg.dll, loader C:\lfcen\bin\rhtQWDjb.exe
2019-02-11 19:36:12,894 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:12,894 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:12,894 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:12,894 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:12,908 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:36:12,908 [root] WARNING: Unable to hook LockResource
2019-02-11 19:36:12,924 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 564 at 0x00000000742C0000, image base 0x00000000FFA10000, stack from 0x0000000002316000-0x0000000002320000
2019-02-11 19:36:12,924 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-02-11 19:36:12,924 [root] INFO: Added new process to list with pid: 564
2019-02-11 19:36:12,924 [root] INFO: Monitor successfully loaded in process with pid 564.
2019-02-11 19:36:16,917 [root] INFO: Started WMI Service
2019-02-11 19:36:16,917 [root] INFO: Attaching to WMI service (pid 2240)
2019-02-11 19:36:16,917 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-02-11 19:36:16,917 [lib.api.process] INFO: 64-bit DLL to inject is C:\lfcen\dll\oXvliPYg.dll, loader C:\lfcen\bin\rhtQWDjb.exe
2019-02-11 19:36:16,917 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:16,917 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:16,917 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:16,917 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:16,917 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:36:16,917 [root] WARNING: Unable to hook LockResource
2019-02-11 19:36:16,934 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2240 at 0x00000000742C0000, image base 0x00000000FFA10000, stack from 0x0000000001856000-0x0000000001860000
2019-02-11 19:36:16,934 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-02-11 19:36:16,934 [root] INFO: Added new process to list with pid: 2240
2019-02-11 19:36:16,934 [root] INFO: Monitor successfully loaded in process with pid 2240.
2019-02-11 19:36:18,946 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2019-02-11 19:36:18,961 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\wbem\wmiutils (0x17000 bytes).
2019-02-11 19:36:18,961 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-02-11 19:36:18,993 [root] DEBUG: DLL loaded at 0x000007FEF9E80000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-02-11 19:36:18,993 [root] DEBUG: DLL loaded at 0x000007FEFB270000: C:\Windows\system32\ATL (0x19000 bytes).
2019-02-11 19:36:18,993 [root] DEBUG: DLL loaded at 0x000007FEF9E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-02-11 19:36:19,009 [root] DEBUG: DLL loaded at 0x000007FEFA870000: C:\Windows\system32\samcli (0x14000 bytes).
2019-02-11 19:36:19,009 [root] DEBUG: DLL loaded at 0x000007FEFB820000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-02-11 19:36:19,023 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-02-11 19:36:19,039 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-02-11 19:36:19,055 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-02-11 19:36:19,086 [root] DEBUG: DLL loaded at 0x000007FEF9540000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-02-11 19:36:19,086 [root] DEBUG: DLL loaded at 0x000007FEF94D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-02-11 19:36:19,086 [root] DEBUG: DLL loaded at 0x000007FEF9A00000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-02-11 19:36:19,086 [root] DEBUG: DLL loaded at 0x000007FEF9980000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-02-11 19:36:19,101 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-02-11 19:36:19,101 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-02-11 19:36:19,118 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2019-02-11 19:36:19,134 [root] DEBUG: DLL loaded at 0x741D0000: C:\Windows\system32\wbem\fastprox (0x96000 bytes).
2019-02-11 19:36:19,148 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2019-02-11 19:36:19,148 [root] DEBUG: DLL loaded at 0x000007FEFCAC0000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-02-11 19:36:19,164 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-02-11 19:36:19,180 [root] DEBUG: DLL loaded at 0x000007FEF90B0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-02-11 19:36:19,180 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-02-11 19:36:19,180 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-02-11 19:36:19,196 [root] DEBUG: DLL unloaded from 0x000007FEFCB00000.
2019-02-11 19:36:19,368 [root] DEBUG: DLL loaded at 0x000007FEF80F0000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-02-11 19:36:19,368 [root] DEBUG: DLL loaded at 0x000007FEFA0C0000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-02-11 19:36:19,398 [root] DEBUG: DLL loaded at 0x000007FEF2AB0000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-02-11 19:36:19,446 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-02-11 19:36:19,632 [root] DEBUG: DLL loaded at 0x000007FEFA1E0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-02-11 19:36:19,664 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 996
2019-02-11 19:36:19,664 [root] INFO: Added new process to list with pid: 996
2019-02-11 19:36:19,664 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:36:19,664 [lib.api.process] INFO: 64-bit DLL to inject is C:\lfcen\dll\oXvliPYg.dll, loader C:\lfcen\bin\rhtQWDjb.exe
2019-02-11 19:36:19,664 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 996
2019-02-11 19:36:19,680 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:19,680 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:19,680 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:19,680 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:19,694 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:36:19,694 [root] WARNING: Unable to hook LockResource
2019-02-11 19:36:19,694 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 996 at 0x00000000742C0000, image base 0x00000000FFFE0000, stack from 0x00000000001A0000-0x00000000001B0000
2019-02-11 19:36:19,694 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -Embedding.
2019-02-11 19:36:19,694 [root] INFO: Monitor successfully loaded in process with pid 996.
2019-02-11 19:36:19,694 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-02-11 19:36:19,710 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-02-11 19:36:19,710 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-02-11 19:36:19,789 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-02-11 19:36:19,803 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-02-11 19:36:19,803 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-02-11 19:36:19,819 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-02-11 19:36:19,819 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-02-11 19:36:19,819 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-02-11 19:36:19,835 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-02-11 19:36:19,881 [root] DEBUG: DLL loaded at 0x000007FEF8080000: C:\Windows\system32\wbem\msiprov (0x65000 bytes).
2019-02-11 19:36:19,898 [root] DEBUG: DLL loaded at 0x000007FEF7820000: C:\Windows\system32\msi (0x316000 bytes).
2019-02-11 19:36:20,023 [root] DEBUG: DLL loaded at 0x000007FEF2A10000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\COMCTL32 (0xa0000 bytes).
2019-02-11 19:36:20,038 [root] DEBUG: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\WINTRUST (0x3a000 bytes).
2019-02-11 19:36:20,038 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-02-11 19:36:20,038 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-02-11 19:36:20,115 [root] DEBUG: DLL loaded at 0x000007FEFA1D0000: C:\Windows\system32\MSISIP (0xb000 bytes).
2019-02-11 19:36:20,256 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-02-11 19:36:20,959 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-02-11 19:36:21,006 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-02-11 19:36:21,644 [root] DEBUG: DLL loaded at 0x000007FEFC530000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2019-02-11 19:36:21,786 [root] DEBUG: DLL unloaded from 0x000007FEFD1F0000.
2019-02-11 19:36:22,394 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-02-11 19:36:22,440 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-02-11 19:36:22,892 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-02-11 19:36:22,956 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-02-11 19:36:23,407 [root] DEBUG: DLL loaded at 0x000007FEFC390000: C:\Windows\system32\GPAPI (0x1b000 bytes).
2019-02-11 19:36:23,486 [root] DEBUG: DLL loaded at 0x000007FEFD030000: C:\Windows\system32\WINSTA (0x3d000 bytes).
2019-02-11 19:36:23,970 [root] DEBUG: DLL loaded at 0x000007FEF9BB0000: C:\Windows\system32\cryptnet (0x26000 bytes).
2019-02-11 19:36:24,405 [root] DEBUG: DLL loaded at 0x000007FEFBA20000: C:\Windows\system32\SensApi (0x9000 bytes).
2019-02-11 19:36:25,608 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-02-11 19:36:26,278 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-02-11 19:36:29,023 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-02-11 19:36:29,132 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2019-02-11 19:36:35,061 [root] DEBUG: DLL unloaded from 0x747F0000.
2019-02-11 19:36:35,138 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-02-11 19:36:35,388 [root] DEBUG: DLL unloaded from 0x744C0000.
2019-02-11 19:36:35,482 [root] DEBUG: DLL unloaded from 0x75790000.
2019-02-11 19:36:36,808 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-02-11 19:36:36,839 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2019-02-11 19:36:40,365 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-02-11 19:36:40,411 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-02-11 19:36:40,473 [root] DEBUG: DLL loaded at 0x000007FEF44E0000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2019-02-11 19:36:42,456 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\system32\mswsock (0x55000 bytes).
2019-02-11 19:36:43,375 [root] DEBUG: DLL loaded at 0x000007FEFC3D0000: C:\Windows\system32\DEVRTL (0x12000 bytes).
2019-02-11 19:36:45,420 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2019-02-11 19:36:45,420 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2019-02-11 19:36:45,763 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2019-02-11 19:36:45,855 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-02-11 19:36:45,855 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-02-11 19:36:46,573 [root] DEBUG: DLL loaded at 0x000007FEFAD90000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2019-02-11 19:36:46,605 [root] DEBUG: DLL unloaded from 0x000007FEFC390000.
2019-02-11 19:36:46,605 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-02-11 19:36:48,571 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-02-11 19:36:48,601 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-02-11 19:36:48,601 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-02-11 19:36:48,648 [root] INFO: Announced starting service "msiserver"
2019-02-11 19:36:48,648 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-02-11 19:36:48,648 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-02-11 19:36:48,648 [lib.api.process] INFO: 64-bit DLL to inject is C:\lfcen\dll\oXvliPYg.dll, loader C:\lfcen\bin\rhtQWDjb.exe
2019-02-11 19:36:48,648 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:48,648 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:48,648 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:48,648 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:48,648 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:36:48,648 [root] WARNING: Unable to hook LockResource
2019-02-11 19:36:48,664 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000742C0000, image base 0x00000000FFA10000, stack from 0x00000000019D6000-0x00000000019E0000
2019-02-11 19:36:48,664 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-02-11 19:36:48,664 [root] INFO: Added new process to list with pid: 460
2019-02-11 19:36:48,664 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-02-11 19:36:49,053 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-02-11 19:36:49,476 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2019-02-11 19:36:49,724 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-02-11 19:36:49,756 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2544
2019-02-11 19:36:49,756 [root] INFO: Added new process to list with pid: 2544
2019-02-11 19:36:49,756 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:36:49,756 [lib.api.process] INFO: 64-bit DLL to inject is C:\lfcen\dll\oXvliPYg.dll, loader C:\lfcen\bin\rhtQWDjb.exe
2019-02-11 19:36:49,756 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2544
2019-02-11 19:36:49,849 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:36:49,849 [root] DEBUG: Process dumps enabled.
2019-02-11 19:36:49,849 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:36:49,849 [root] INFO: Disabling sleep skipping.
2019-02-11 19:36:49,849 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:36:49,865 [root] WARNING: Unable to hook LockResource
2019-02-11 19:36:49,865 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2544 at 0x00000000742C0000, image base 0x00000000FF5A0000, stack from 0x00000000000F5000-0x0000000000100000
2019-02-11 19:36:49,865 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe \V.
2019-02-11 19:36:49,865 [root] INFO: Monitor successfully loaded in process with pid 2544.
2019-02-11 19:36:49,865 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32 (0x1f4000 bytes).
2019-02-11 19:36:49,897 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-02-11 19:36:49,897 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-02-11 19:36:49,897 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-02-11 19:36:49,897 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-02-11 19:36:49,897 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-02-11 19:36:49,897 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-02-11 19:36:49,911 [root] DEBUG: DLL unloaded from 0x000007FEF7820000.
2019-02-11 19:36:54,499 [root] DEBUG: DLL unloaded from 0x000007FEFD360000.
2019-02-11 19:36:55,247 [root] DEBUG: DLL unloaded from 0x000007FEFA1D0000.
2019-02-11 19:36:55,855 [root] DEBUG: DLL unloaded from 0x000007FEFA1D0000.
2019-02-11 19:36:56,496 [root] DEBUG: DLL loaded at 0x000007FEFC710000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2019-02-11 19:36:56,885 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-02-11 19:36:57,276 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2019-02-11 19:36:57,415 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\APPHELP (0x57000 bytes).
2019-02-11 19:37:05,168 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2019-02-11 19:37:06,308 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-02-11 19:37:09,927 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-02-11 19:37:10,878 [root] DEBUG: DLL unloaded from 0x000007FEF9BB0000.
2019-02-11 19:37:17,180 [root] DEBUG: DLL loaded at 0x000007FEF2CC0000: C:\Windows\system32\MSCOREE (0x6f000 bytes).
2019-02-11 19:37:19,645 [root] DEBUG: DLL loaded at 0x000007FEF2C20000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-02-11 19:37:28,023 [root] DEBUG: DLL loaded at 0x000007FEF56C0000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2019-02-11 19:37:30,519 [root] DEBUG: DLL unloaded from 0x000007FEFD1F0000.
2019-02-11 19:37:37,928 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-02-11 19:37:43,654 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-02-11 19:37:45,214 [root] ERROR: Traceback (most recent call last):
  File "C:\lfcen\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\lfcen\lib\core\log.py", line 68, in handle_logs
    self.resultserver_socket.sendall(data)
  File "C:\Python27\lib\socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 10053] An established connection was aborted by the software in your host machine
Traceback (most recent call last):
  File "C:\lfcen\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\lfcen\lib\core\log.py", line 68, in handle_logs
    self.resultserver_socket.sendall(data)
  File "C:\Python27\lib\socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 10053] An established connection was aborted by the software in your host machine
2019-02-11 19:37:55,667 [root] INFO: Announced 64-bit process name: taskhost.exe pid: 2332
2019-02-11 19:37:55,667 [root] INFO: Added new process to list with pid: 2332
2019-02-11 19:37:55,667 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:37:55,667 [lib.api.process] INFO: 64-bit DLL to inject is C:\lfcen\dll\oXvliPYg.dll, loader C:\lfcen\bin\rhtQWDjb.exe
2019-02-11 19:37:55,744 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2332
2019-02-11 19:37:55,884 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:37:55,884 [root] DEBUG: Process dumps enabled.
2019-02-11 19:37:55,884 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-02-11 19:37:55,884 [root] INFO: Disabling sleep skipping.
2019-02-11 19:37:55,947 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:37:55,947 [root] WARNING: Unable to hook LockResource
2019-02-11 19:37:55,947 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2332 at 0x00000000742C0000, image base 0x00000000FFC30000, stack from 0x0000000000135000-0x0000000000140000
2019-02-11 19:37:55,947 [root] DEBUG: Commandline: C:\Windows\sysnative\"taskhost.exe".
2019-02-11 19:37:55,947 [root] INFO: Monitor successfully loaded in process with pid 2332.
2019-02-11 19:37:55,963 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-02-11 19:37:55,979 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-02-11 19:37:55,993 [root] DEBUG: DLL loaded at 0x000007FEFA040000: C:\Windows\System32\wdi (0x19000 bytes).
2019-02-11 19:37:56,102 [root] DEBUG: DLL loaded at 0x000007FEFA1C0000: C:\Windows\system32\radarrs (0x18000 bytes).
2019-02-11 19:37:56,165 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32 (0x1f4000 bytes).
2019-02-11 19:37:56,180 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-02-11 19:37:56,197 [root] DEBUG: DLL loaded at 0x000007FEF9910000: C:\Windows\system32\RstrtMgr (0x33000 bytes).
2019-02-11 19:37:56,213 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-02-11 19:37:56,227 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-02-11 19:37:56,227 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-02-11 19:37:56,227 [root] DEBUG: DLL loaded at 0x000007FEF8CA0000: C:\Windows\system32\wer (0x7c000 bytes).
2019-02-11 19:37:56,259 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-02-11 19:37:56,290 [root] DEBUG: DLL unloaded from 0x00000000FFC30000.
2019-02-11 19:38:32,966 [root] DEBUG: DLL unloaded from 0x000007FEFC880000.
2019-02-11 19:38:39,440 [root] DEBUG: DLL unloaded from 0x000007FEFC290000.
2019-02-11 19:38:39,549 [root] DEBUG: DLL unloaded from 0x000007FEFC890000.
2019-02-11 19:38:39,954 [root] DEBUG: DLL unloaded from 0x000007FEFAE20000.
2019-02-11 19:38:39,970 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2019-02-11 19:38:57,473 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-02-11 19:40:17,033 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-02-11 19:40:17,033 [root] INFO: Created shutdown mutex.
2019-02-11 19:40:18,048 [root] INFO: Setting terminate event for process 2932.
2019-02-11 19:40:18,141 [root] DEBUG: Terminate Event: Attempting to dump process 2932
2019-02-11 19:40:18,157 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-02-11 19:40:18,157 [root] DEBUG: ApiReader: module list size: 22
2019-02-11 19:40:18,157 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,157 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,157 [root] DEBUG: Module parsing: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-02-11 19:40:18,157 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
2019-02-11 19:40:18,187 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,187 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,203 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,203 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,234 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,234 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,250 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,250 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,250 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,250 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,282 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,298 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,298 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
2019-02-11 19:40:18,298 [root] DEBUG: isModuleLoadedInOwnProcess returned false: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-02-11 19:35:57 2019-02-11 19:40:31

File Details

File Name masterblankov24
File Size 385656 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 81379132fcc3052e53f794dfae53acb6
SHA1 8564efa19608b56b26dd62dd56a613bd0d3d33ec
SHA256 f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20
SHA512 f23b9039be19058d23abf5764a98a17debaafd00638e75909f20a372efe4a5c644f42c5f6b5f5263bee4ed27c70e7892004f0abd10d8bcfd7161a9264b2e01ac
CRC32 771D115A
Ssdeep 6144:O3L1P01/7jBA4DQFu/U3buRKlemZ9DnGAeBZ9ZEB+s+x+UOmUoT9zBdrS:O901/K4DQFu/U3buRKlemZ9DnGAeBDZ9
TrID
  • 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
  • 16.8% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 7.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 7.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: C:\Windows\system32\cmd.exe /C cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Detected script timer window indicative of sleep style evasion
Window: WSH-Timer
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: PSAPI.DLL/GetMappedFileNameA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: oleaut32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: cscript.exe/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/IsThreadAFiber
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: COMCTL32.DLL/InitCommonControlsEx
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/CreateWaitableTimerW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: msi.dll/QueryInstanceCount
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/CancelWaitableTimer
DynamicLoader: msi.dll/DllGetClassObject
DynamicLoader: msi.dll/QueryInstanceCount
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: msi.dll/DllGetClassObject
DynamicLoader: msi.dll/DllCanUnloadNow
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/UuidFromStringW
DynamicLoader: radarrs.dll/WdiDiagnosticModuleMain
DynamicLoader: radarrs.dll/WdiHandleInstance
DynamicLoader: radarrs.dll/WdiGetDiagnosticModuleInterfaceVersion
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
Reads data out of its own binary image
self_read: process: cscript.exe, pid: 3052, offset: 0x00000000, length: 0x00000040
self_read: process: cscript.exe, pid: 3052, offset: 0x000000e8, length: 0x00000018
self_read: process: cscript.exe, pid: 3052, offset: 0x000001e0, length: 0x00000078
self_read: process: cscript.exe, pid: 3052, offset: 0x00015e00, length: 0x00000020
self_read: process: cscript.exe, pid: 3052, offset: 0x00015e58, length: 0x00000018
self_read: process: cscript.exe, pid: 3052, offset: 0x00015f50, length: 0x00000018
self_read: process: cscript.exe, pid: 3052, offset: 0x00016110, length: 0x00000010
self_read: process: cscript.exe, pid: 3052, offset: 0x00016230, length: 0x00000012
A scripting utility was executed
command: C:\Windows\system32\cmd.exe /C cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
Uses Windows utilities for basic functionality
command: C:\Windows\system32\cmd.exe /C cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
Network activity detected but not expressed in API logs
Detects Joe or Anubis Sandboxes through the presence of a file
Checks the presence of disk drives in the registry, possibly for anti-virtualization

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.57.66.35 [VT] United States
N 2.21.74.9 [VT] Europe

DNS

Name Response Post-Analysis Lookup
crl.microsoft.com [VT] A 2.21.74.16 [VT]
CNAME a1363.dscg.akamai.net [VT]
CNAME crl.www.ms.akadns.net [VT]
A 2.21.74.9 [VT]
A 23.57.66.11 [VT]
A 23.57.66.35 [VT]

Summary

C:\Users\user\AppData\Local\Temp\masterblankov24.ENG
C:\Users\user\AppData\Local\Temp\masterblankov24.ENG.DLL
C:\Users\user\AppData\Local\Temp\masterblankov24.EN
C:\Users\user\AppData\Local\Temp\masterblankov24.EN.DLL
C:\insidetm
C:\sample.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\28209
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\temp.txt
\Device\NamedPipe\
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\cscript.*
C:\Users\user\AppData\Local\Temp\cscript
C:\Windows\System32\cscript.*
C:\Windows\System32\cscript.COM
C:\Windows\System32\cscript.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\SysWOW64\wshom.ocx
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\wbem\en-US\wmiutils.dll.mui
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository
C:\Windows\sysnative\wbem\Logs
C:\Windows\sysnative\wbem\AutoRecover
C:\Windows\sysnative\wbem\MOF
C:\Windows\sysnative\wbem\repository\INDEX.BTR
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\WBEM9xUpgd.dat
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
C:\Windows\sysnative\msiexec.exe.Local\
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\
C:\Windows\Installer
C:\Windows\sysnative\en-US\radarrs.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
\Device\NamedPipe\
C:\Windows\SysWOW64\cscript.exe
C:\Users\user\AppData\Local\Temp\temp.txt
C:\Windows\SysWOW64\wshom.ocx
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\wbem\en-US\wmiutils.dll.mui
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\sysnative\en-US\radarrs.dll.mui
C:\Users\user\AppData\Local\Temp\28209
C:\Users\user\AppData\Local\Temp\temp.txt
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
C:\Users\user\AppData\Local\Temp\28209
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
\xee\x96\x90\xc7\xa5EY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe1\xa9\x98\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\masterblankov24.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\cscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Classes\vbscript
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\winmgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_CLASSES\CLSID\{000C101C-0000-0000-C000-000000000046}
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\TreatAs
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\ProgId\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\AppID
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_CLASSES\AppID\{000C101C-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\LoadUserSettings
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\Elevation
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\TreatAs
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\ProgId\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\AppID
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_CLASSES_ROOT\CLSID\{BE0A9830-2B8B-11d1-A949-0060181EBBAD}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{BE0A9830-2B8B-11d1-A949-0060181EBBAD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{BE0A9830-2B8B-11d1-A949-0060181EBBAD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wmi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\wmi
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\AppId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\RequiredPrivileges
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Environment
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Volatile Environment
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Volatile Environment\0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CLASSES_ROOT\CLSID
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Secure
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
HKEY_LOCAL_MACHINE\Software\Classes\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Patches
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\msiexec.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\13BAD134
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\AppID\taskhost.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\DiagnosticModules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson
HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
\xee\x96\x90\xc7\xa5EY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe1\xa9\x98\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\ProgId\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101C-0000-0000-C000-000000000046}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\ProgId\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C101C-0000-0000-C000-000000000046}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wmi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\wmi
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\AppId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msiserver\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\13BAD134
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Heap32ListFirst
kernel32.dll.Heap32ListNext
kernel32.dll.Heap32First
kernel32.dll.Heap32Next
kernel32.dll.Toolhelp32ReadProcessMemory
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.Process32FirstW
kernel32.dll.Process32NextW
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.Module32FirstW
kernel32.dll.Module32NextW
kernel32.dll.IsDebuggerPresent
psapi.dll.GetMappedFileNameA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoCreateInstance
oleaut32.dll.#500
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.SetConsoleInputExeNameW
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.HeapSetInformation
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
ole32.dll.CLSIDFromProgIDEx
ole32.dll.CoGetClassObject
cscript.exe.#1
ole32.dll.CreateBindCtx
ole32.dll.MkParseDisplayName
oleaut32.dll.#2
oleaut32.dll.#6
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
ole32.dll.BindMoniker
advapi32.dll.RegEnumKeyW
oleaut32.dll.#283
oleaut32.dll.#284
kernel32.dll.RegOpenKeyExW
kernel32.dll.NlsGetCacheUpdateCount
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
oleaut32.dll.#4
oleaut32.dll.#7
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegSetValueExW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
kernel32.dll.IsThreadAFiber
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernel32.dll.SetThreadToken
kernelbase.dll.CheckTokenMembership
kernelbase.dll.AllocateAndInitializeSid
ole32.dll.CLSIDFromString
oleaut32.dll.#285
advapi32.dll.RegOpenKeyW
oleaut32.dll.#12
oleaut32.dll.#286
oleaut32.dll.#17
oleaut32.dll.#20
oleaut32.dll.#19
oleaut32.dll.#25
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.CoImpersonateClient
advapi32.dll.OpenThreadToken
ole32.dll.CoRevertToSelf
oleaut32.dll.#8
oleaut32.dll.#9
ole32.dll.CoSwitchCallContext
oleaut32.dll.#287
oleaut32.dll.#288
oleaut32.dll.#289
lpk.dll.LpkEditControl
comctl32.dll.InitCommonControlsEx
advapi32.dll.CheckTokenMembership
kernel32.dll.GetSystemWindowsDirectoryW
ole32.dll.CoInitializeSecurity
kernel32.dll.CreateWaitableTimerW
kernel32.dll.SetWaitableTimer
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
ole32.dll.NdrOleInitializeExtension
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
msi.dll.QueryInstanceCount
kernel32.dll.CancelWaitableTimer
msi.dll.DllGetClassObject
msi.dll.DllCanUnloadNow
rpcrt4.dll.UuidFromStringW
radarrs.dll.WdiDiagnosticModuleMain
radarrs.dll.WdiHandleInstance
radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion
version.dll.GetFileVersionInfoSizeW
C:\Windows\system32\cmd.exe /C cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\msiexec.exe /V
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x00400000
Entry Point 0x0042a344
Reported Checksum 0x000607e6
Actual Checksum 0x000607e6
Minimum OS Version 4.0
Compile Time 2019-01-29 04:44:26
Import Hash 9021ac7d03d71ffb7226fbcc4b666674

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00028b80 0x00028c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.62
.itext 0x0002a000 0x000005c4 0x00000600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.13
.data 0x0002b000 0x00002350 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.33
.bss 0x0002e000 0x000062b8 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00035000 0x0000108a 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.74
.tls 0x00037000 0x0000000c 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x00038000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.21
.reloc 0x00039000 0x000024d4 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.62
.rsrc 0x0003c000 0x0002d800 0x0002d800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.40

Overlay

Offset 0x0005cc00
Size 0x00001678

Imports

Library oleaut32.dll:
0x43537c SysFreeString
0x435380 SysReAllocStringLen
0x435384 SysAllocStringLen
Library advapi32.dll:
0x43538c RegQueryValueExA
0x435390 RegOpenKeyExA
0x435394 RegCloseKey
Library user32.dll:
0x43539c GetKeyboardType
0x4353a0 DestroyWindow
0x4353a4 LoadStringA
0x4353a8 MessageBoxA
0x4353ac CharNextA
Library kernel32.dll:
0x4353b4 GetACP
0x4353b8 Sleep
0x4353bc VirtualFree
0x4353c0 VirtualAlloc
0x4353c4 GetTickCount
0x4353cc GetCurrentThreadId
0x4353d8 VirtualQuery
0x4353dc WideCharToMultiByte
0x4353e0 MultiByteToWideChar
0x4353e4 lstrlenA
0x4353e8 lstrcpynA
0x4353ec LoadLibraryExA
0x4353f0 GetThreadLocale
0x4353f4 GetStartupInfoA
0x4353f8 GetProcAddress
0x4353fc GetModuleHandleA
0x435400 GetModuleFileNameA
0x435404 GetLocaleInfoA
0x435408 GetCommandLineA
0x43540c FreeLibrary
0x435410 FindFirstFileA
0x435414 FindClose
0x435418 ExitProcess
0x43541c ExitThread
0x435420 CreateThread
0x435424 WriteFile
0x43542c RtlUnwind
0x435430 RaiseException
0x435434 GetStdHandle
Library kernel32.dll:
0x43543c TlsSetValue
0x435440 TlsGetValue
0x435444 LocalAlloc
0x435448 GetModuleHandleA
Library user32.dll:
0x435450 TranslateMessage
0x435454 PeekMessageA
0x43545c MessageBoxW
0x435460 MessageBoxA
0x435464 LoadStringA
0x435468 GetSystemMetrics
0x43546c DispatchMessageA
0x435470 CharLowerBuffW
0x435474 CharNextA
0x435478 CharLowerBuffA
0x43547c CharLowerA
0x435480 CharUpperA
0x435484 CharToOemA
Library kernel32.dll:
0x43548c lstrcmpiA
0x435490 WriteFile
0x435494 WaitForSingleObject
0x435498 VirtualQuery
0x43549c TerminateProcess
0x4354a0 SetFilePointer
0x4354a4 SetFileAttributesW
0x4354a8 SetEvent
0x4354ac SetEndOfFile
0x4354b0 ResumeThread
0x4354b4 ResetEvent
0x4354b8 ReadProcessMemory
0x4354bc ReadFile
0x4354c0 OpenProcess
0x4354c4 LoadLibraryA
0x4354d0 GlobalUnlock
0x4354d4 GlobalReAlloc
0x4354d8 GlobalHandle
0x4354dc GlobalLock
0x4354e0 GlobalFree
0x4354e4 GlobalAlloc
0x4354e8 GetVersionExA
0x4354ec GetThreadLocale
0x4354f0 GetStdHandle
0x4354f4 GetProcAddress
0x4354f8 GetModuleHandleA
0x4354fc GetModuleFileNameA
0x435500 GetLocaleInfoA
0x435504 GetLocalTime
0x435508 GetLastError
0x43550c GetFullPathNameA
0x435510 GetFileAttributesA
0x435514 GetExitCodeThread
0x43551c GetDriveTypeA
0x435520 GetDiskFreeSpaceA
0x435524 GetDateFormatA
0x435528 GetCurrentThreadId
0x43552c GetCurrentProcess
0x435530 GetCPInfo
0x435538 InterlockedExchange
0x435540 FreeLibrary
0x435544 FormatMessageA
0x435548 FindNextFileW
0x43554c FindNextFileA
0x435550 FindFirstFileW
0x435554 FindFirstFileA
0x435558 FindClose
0x435564 ExitProcess
0x435568 EnumCalendarInfoA
0x435570 DeleteFileW
0x435574 DeleteFileA
0x43557c CreateProcessW
0x435580 CreateProcessA
0x435584 CreatePipe
0x435588 CreateFileW
0x43558c CreateFileA
0x435590 CreateEventA
0x435594 CreateDirectoryW
0x435598 CompareStringA
0x43559c CloseHandle
Library advapi32.dll:
0x4355a4 RegQueryValueExA
0x4355a8 RegOpenKeyExA
0x4355ac RegCloseKey
Library kernel32.dll:
0x4355b4 Sleep
Library oleaut32.dll:
0x4355bc SafeArrayPtrOfIndex
0x4355c0 SafeArrayGetUBound
0x4355c4 SafeArrayGetLBound
0x4355c8 SafeArrayCreate
0x4355cc VariantChangeType
0x4355d0 VariantCopy
0x4355d4 VariantClear
0x4355d8 VariantInit
Library shell32.dll:
Library shell32.dll:
0x4355ec SHGetMalloc

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
Int64
System
IInterface
2004, 2005 Pierre le Riche / Professional Software Development
An unexpected memory leak has occurred.
bytes:
Unknown
String
The sizes of unexpected leaked medium and large blocks are:
Unexpected Memory Leak
UhU9@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Ph(?@
UhyD@
tCh\]@
kernel32.dll
GetLongPathNameA
Uhu^@
Software\Borland\Locales
Software\Borland\Delphi\Locales
UhDa@
ERangeError|q@
False
AM/PM
D$LPj
WUWSj
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
Variants
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
String
Array
ByRef
False
Classes
Classes
Classes
Classes
Ph\"A
Strings
Uh="A
Uhn$A
UhQ$A
UhX1A
UhS2A
Uh}8A
Uh}:A
UhB<A
UhQ=A
Uhb>A
Uhv?A
Uhv@A
UhqCA
Uh4DA
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_
^$.[()|?+*\{]}
No errors
TRegExpr(comp): Null Argument
TRegExpr(comp): Regexp Too Big
TRegExpr(comp): ParseReg Too Many ()
TRegExpr(comp): ParseReg Unmatched ()
TRegExpr(comp): ParseReg Junk On End
TRegExpr(comp): *+ Operand Could Be Empty
TRegExpr(comp): Nested *?+
TRegExpr(comp): Bad Hex Digit
TRegExpr(comp): Invalid [] Range
TRegExpr(comp): Parse Atom Trailing \
TRegExpr(comp): No Hex Code After \x
TRegExpr(comp): Hex Code After \x Is Too Big
TRegExpr(comp): Unmatched []
TRegExpr(comp): Internal Urp
TRegExpr(comp): ?+*{ Follows Nothing
TRegExpr(comp): Trailing \
TRegExpr(comp): RarseAtom Internal Disaster
TRegExpr(comp): BRACES Argument Too Big
TRegExpr(comp): BRACE Min Param Greater then Max
TRegExpr(comp): Unclosed (?#Comment)
TRegExpr(comp): If you want take part in beta-testing BRACES '{min,max}' and non-greedy ops '*?', '+?', '??' for complex cases - remove '.' from {.$DEFINE ComplexBraces}
TRegExpr(comp): Urecognized Modifier
TRegExpr(comp): LinePairedSeparator must countain two different chars or no chars at all
TRegExpr(exec): RegRepeat Called Inappropriately
TRegExpr(exec): MatchPrim Memory Corruption
TRegExpr(exec): MatchPrim Corrupted Pointers
TRegExpr(exec): Not Assigned Expression Property
TRegExpr(exec): Corrupted Program
TRegExpr(exec): No Input String Specified
TRegExpr(exec): Offset Must Be Greater Then 0
TRegExpr(exec): ExecNext Without Exec[Pos]
TRegExpr(exec): GetInputString Without InputString
TRegExpr(dump): Corrupted Opcode
TRegExpr(exec): Loop Stack Exceeded
TRegExpr(exec): Loop Without LoopEntry !
TRegExpr(misc): Bad p-code imported
Unknown error
UhESA
Uh`UA
Uh~[A
0123456789
UhVuA
0123456789
(pos
kernel32.dll
CreateToolhelp32Snapshot
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32First
Process32Next
Process32FirstW
Process32NextW
Thread32First
Thread32Next
Module32First
Module32Next
Module32FirstW
Module32NextW
0123456789ABCDEF
|$DPE
D$Hf=
uBigIntsV3
C:\ERIK\DEVELOPMENT\VEGA\v1\uBigIntsV3.pas
Scratchpad synch problem
UhG'B
UhYJB
UhXOB
Uh8VB
UhocB
C:\ERIK\DEVELOPMENT\VEGA\v1\Base64.pas
Assertion failure
Zm9vYg==
fooba
Zm9vYmE=
foobar
Zm9vYmFy
9v YmF y
9v YmE
ZgBvAA==
ZgBvAG8A
ZgBvAG8AYgA=
ZgBvAG8AYgBhAA==
ZgBvAG8AYgBhAHIA
ZgBvAG8AYgBhAA=
8AYg Bh AHI A
8AY gBhAA==
base64.pas :: Test fails!
Uh-fB
UhyhB
Uh^kB
Uh+kB
Uh#lB
UhpmB
UhuoB
Uh>vB
UhmuB
Uh-vB
Uh3yB
Uh"yB
UhS{B
Uhu}B
UhH}B
Uh0~B
Error
Runtime error at 00000000
^$.[()|?+*\{
?456789:;<=
!"#$%&'()*+,-./0123
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
kernel32.dll
GetACP
Sleep
VirtualFree
VirtualAlloc
GetTickCount
QueryPerformanceCounter
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
ExitThread
CreateThread
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
user32.dll
TranslateMessage
PeekMessageA
MsgWaitForMultipleObjects
MessageBoxW
MessageBoxA
LoadStringA
GetSystemMetrics
DispatchMessageA
CharLowerBuffW
CharNextA
CharLowerBuffA
CharLowerA
CharUpperA
CharToOemA
kernel32.dll
lstrcmpiA
WriteFile
WaitForSingleObject
VirtualQuery
TerminateProcess
SetFilePointer
SetFileAttributesW
SetEvent
SetEndOfFile
ResumeThread
ResetEvent
ReadProcessMemory
ReadFile
OpenProcess
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalAlloc
GetVersionExA
GetThreadLocale
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetExitCodeThread
GetEnvironmentVariableA
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcess
GetCPInfo
InterlockedIncrement
InterlockedExchange
InterlockedDecrement
FreeLibrary
FormatMessageA
FindNextFileW
FindNextFileA
FindFirstFileW
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitProcess
EnumCalendarInfoA
EnterCriticalSection
DeleteFileW
DeleteFileA
DeleteCriticalSection
CreateProcessW
CreateProcessA
CreatePipe
CreateFileW
CreateFileA
CreateEventA
CreateDirectoryW
CompareStringA
CloseHandle
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
shell32.dll
SHGetSpecialFolderLocation
shell32.dll
SHGetPathFromIDListW
SHGetMalloc
?#?0?P?
9W:S;
< <T<
:(;,;0;4;@;D;`;d;h;l;|;
3 3$3(3,3034383<3@3D3H3L3
gxvf`
xvgnvf
~~~vp
~~~~g
fvww~w
3sssy7vxx
7777775p
777773w
{{{ssssss
wn~~`
g~~~w
vwx~p
{w3wxvxp
777wwxp
3ssyw
{{yysssp
{sssy0
ysyyp
)"9:7/W
"9::9/>
.::;c:2&
2::pqp;71
M#7:;pccc:92[
]%$::cc:;p;::7I
O<%55299cpccpc:::98
Cqqpcc;:::98_
Beqpqc:::;:7K
dqqq;;;cpc76
Cqqqqqp;cc71
Beqqqqpqp:9/Z
gmmmh
+++'7
'+S`S)$
@-# )+_SSS**)M
T`_S+**)9
R``S++S+(
2``__SSS'L
U```__*%8
WWZ\Y
igifp
USRQ+,
wwwwb`p
uwww`
{rYZYGP
p07DGH=4>6$%"S
58&$-
uBigIntsV3
SysUtils
ImageHlp
KWindows
UTypes
SysInit
System
SysConst
QTypInfo
"RTLConsts
CVariants
$VarUtils
MiniReg
FindFiles
base64
Crypto
PasZip
\StreamUnit
YAESUtils
ElAES
oRSAUtils
Utils
YStrUtils
(ShlObj
UrlMon
sActiveX
3Messages
?WinInet
RegStr
*ShellAPI
CommCtrl
TlHelp32
Sandboxes
LShortcuts
^Classes
RegExpr
fooba
foobar
MAINICON(
Thread Error: %s (%d)
Invalid property value
%s (%s, line %d)
Write$Error creating variant or safe array)Variant or safe array index out of bounds
VS_VERSION_INFO
StringFileInfo
041904E3
FileDescription
FileVersion
1, 0, 0, 1
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree

  • masterblankov24.exe 2932
    • cmd.exe 2660 C:\Windows\system32\cmd.exe /C cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
      • cscript.exe 3052 cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
  • services.exe 460 C:\Windows\system32\services.exe

masterblankov24.exe, PID: 2932, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\masterblankov24.exe
Command Line: "C:\Users\user\AppData\Local\Temp\masterblankov24.exe"
cmd.exe, PID: 2660, Parent PID: 2932
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: C:\Windows\system32\cmd.exe /C cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
cscript.exe, PID: 3052, Parent PID: 2660
Full Path: C:\Windows\SysWOW64\cscript.exe
Command Line: cscript //e:vbscript //nologo "C:\Users\user\AppData\Local\Temp\temp.txt"
svchost.exe, PID: 564, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe, PID: 2240, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
msiexec.exe, PID: 2544, Parent PID: 460
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe /V
taskhost.exe, PID: 2332, Parent PID: 460
Full Path: C:\Windows\sysnative\taskhost.exe
Command Line: "taskhost.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.57.66.35 [VT] United States
N 2.21.74.9 [VT] Europe

TCP

Source Source Port Destination Destination Port
192.168.35.21 49175 2.21.74.9 crl.microsoft.com 80
192.168.35.21 49178 23.57.66.35 crl.microsoft.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
crl.microsoft.com [VT] A 2.21.74.16 [VT]
CNAME a1363.dscg.akamai.net [VT]
CNAME crl.www.ms.akadns.net [VT]
A 2.21.74.9 [VT]
A 23.57.66.11 [VT]
A 23.57.66.35 [VT]

HTTP Requests

URI Data
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
GET /pki/crl/products/CSPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

http://crl.microsoft.com/pki/crl/products/WinPCA.crl
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT
If-None-Match: "0cb60772f2dd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name 28209
Associated Filenames
C:\Users\user\AppData\Local\Temp\28209
File Size 1 bytes
File Type very short file (no magic)
MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
CRC32 D202EF8D
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name temp.txt
Associated Filenames
C:\Users\user\AppData\Local\Temp\temp.txt
File Size 2639 bytes
File Type ASCII text, with CRLF line terminators
MD5 930cd063743eae090f1f4fcfebb30f27
SHA1 b4564d8404136d0f7197181d99c8316229b7a526
SHA256 1b1f8b6e97662ffa73e651227a33cb9c52ac778b5d53d2605302438b9d3d9e64
CRC32 F6E2C60A
Ssdeep 48:eUakBnLVUvT04H8Tjltpc8jiiERBEoLVU9CZJbj:ezkBxUvo4H8H4iALVUkZJn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit fileDisplay Text
On Error Resume Next

Set objShell = CreateObject("Wscript.Shell")
Set objNet = CreateObject("WScript.Network")
Set oFileSystem = CreateObject("Scripting.FileSystemObject") 
Set objWMIService = GetObject("winmgmts:\\" & objNet.ComputerName & "\root\CIMV2")

Set colItems = objWMIService.ExecQuery("Select * FROM Win32_Product",,48)
Set drivesList = oFileSystem.Drives 

Sub DpySpaceInfo(ByVal infotype, ByVal drvSpace, ByVal percentage) 
    textline = Space(12 - Len(infotype)) & infotype & Space(17 - Len(drvSpace)) & drvSpace 
    If percentage <> "" Then textline = textline & Space(11 - Len(percentage)) & percentage 
    WScript.Echo textline 
End Sub 
 
Sub GetDriveSpace(ByRef drive) 
    totalSpace = drive.TotalSize / 1024 
    freeSpace = drive.AvailableSpace / 1024 
    percentFree = freeSpace / totalSpace 
    percentUsed = 1 - percentFree 
    dpyUsedSpace = FormatNumber(totalSpace - freeSpace, 0, vbTrue, vbFalse, vbTrue) & " KB" 
    dpyFreeSpace = FormatNumber(freeSpace, 0, vbTrue, vbFalse, vbTrue) & " KB" 
    dpyTotalSpace = FormatNumber(totalSpace, 0, vbTrue, vbFalse, vbTrue) & " KB" 
    dpyPercentUsed = "(" & FormatPercent(percentUsed, 2, vbTrue, vbFalse, vbTrue) & ")" 
    dpyPercentFree = "(" & FormatPercent(percentFree, 2, vbTrue, vbFalse, vbTrue) & ")" 
    WScript.Echo
    WScript.Echo "Space info for drive " & drive.DriveLetter & ":" 
    DpySpaceInfo "Used Space:", dpyUsedSpace, dpyPercentUsed 
    DpySpaceInfo "Free Space:", dpyFreeSpace, dpyPercentFree 
    DpySpaceInfo "Total Space:", dpyTotalSpace, "" 
End Sub 
 
WScript.Echo
WScript.Echo "OS:" 
WScript.Echo
For Each os in objWMIService.ExecQuery ("Select * from Win32_OperatingSystem")
    Wscript.Echo os.Caption & " v" & os.Version
Next

Dim currentDate
currentDate = Date
Dim currentTime
currentTime = Time

WScript.Echo
WScript.Echo _
    strLogPath & _
    "Date: " & _
    Year(currentDate) & _
    "-" & _
    Month(currentDate) & _
    "-" & _
    Day(currentDate) & vbCrLf & _
    "Time: " & _
    Hour(currentTime) & _
    "-" & _
    Minute(currentTime) & _
    "-" & _
    Second(currentTime)

WScript.Echo
WScript.Echo "Drives:" 
For Each d In drivesList 
    If d.DriveType = 2 Then GetDriveSpace d 
Next 

WScript.Echo
WScript.Echo "Software:" 
WScript.Echo
For Each objItem In colItems
If (InStr(objItem.Name, "C++") = 0) And (InStr(objItem.Name, ".NET") = 0) And (InStr(objItem.Name, "J#") = 0) Then
    WScript.Echo _
        objItem.Name & " | " & _
        objItem.Vendor & " | v" & _
        objItem.Version
End If
Next

WScript.Sleep 1000
File name 7B2238AACCEDC3F1FFE8E7EB5F575EC9
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
File Size 506 bytes
File Type data
MD5 a26dcbb948da05ec8af97885dbd149b0
SHA1 cfa529c048ec394a1203853c0c9a5e28ea23f035
SHA256 3ceb4a8069b2b9e5fdf508ef67d5af5b9d3e6a7b417919953a89fa9773e16440
CRC32 F940B0E1
Ssdeep 12:kYmJrXuBF74BBQ4TI0gIpoL4/Qat8CiaNwtxjz8lbADJr5:kXDuD743QqI0gG/j5wtFz4bo5
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 7B2238AACCEDC3F1FFE8E7EB5F575EC9
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
File Size 220 bytes
File Type data
MD5 592e146488fac1ebfafd0d8c948a9b2c
SHA1 9496dead0f7cd1d3135838e3a2f48ccb46620461
SHA256 ad53fcb050c285c55757ab2ddf0861a1f430799cd669b4630a1979309284fbe6
CRC32 18EA3A4B
Ssdeep 3:kkFklNlivE/XfllXlE/tude/ehlR82ClRRly+MlMJXcXl+B5lRkKlmE18aLU1j:kKHvkiuIWnB7WJM1+ff8E+Lj
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 9435f817-fed2-454e-88cd-7f78fda62c48
Associated Filenames
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
File Size 12 bytes
File Type data
MD5 660dbbd1339b4412e2b6e0bde5048f3c
SHA1 b3c7a320061fda5b5d540588c81bbdfd1322094b
SHA256 143d6e9a727ed118ea3e72f06a539d1834773b2989e75072e80dce8da8cfaf0d
CRC32 E9C534BF
Ssdeep 3:/KtYl/l:j/l
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 65.464 seconds )

  • 63.181 BehaviorAnalysis
  • 0.694 TargetInfo
  • 0.67 CAPE
  • 0.462 Static
  • 0.199 TrID
  • 0.103 Deduplicate
  • 0.103 Dropped
  • 0.024 Strings
  • 0.014 NetworkAnalysis
  • 0.007 AnalysisInfo
  • 0.006 config_decoder
  • 0.001 Debug

Signatures ( 28.101 seconds )

  • 2.844 stealth_timeout
  • 2.382 api_spamming
  • 2.294 Doppelganging
  • 2.228 decoy_document
  • 1.899 Extraction
  • 1.76 dyre_behavior
  • 1.372 infostealer_browser
  • 1.326 infostealer_browser_password
  • 1.26 exploit_heapspray
  • 1.198 injection_createremotethread
  • 1.196 ipc_namedpipe
  • 1.162 injection_rwx
  • 1.12 InjectionCreateRemoteThread
  • 1.087 antidebug_guardpages
  • 1.02 injection_runpe
  • 1.01 InjectionProcessHollowing
  • 0.978 reads_self
  • 0.818 InjectionInterProcess
  • 0.732 stack_pivot
  • 0.075 antiav_detectreg
  • 0.027 lsass_credential_dumping
  • 0.018 PlugX
  • 0.018 infostealer_ftp
  • 0.017 antianalysis_detectreg
  • 0.016 mimics_filetime
  • 0.016 antivm_generic_disk
  • 0.013 stealth_file
  • 0.011 bootkit
  • 0.011 injection_explorer
  • 0.011 virus
  • 0.011 infostealer_im
  • 0.009 antivm_generic_scsi
  • 0.009 hancitor_behavior
  • 0.008 antivm_vbox_libs
  • 0.008 antiav_detectfile
  • 0.008 infostealer_mail
  • 0.007 persistence_autorun
  • 0.005 malicious_dynamic_function_loading
  • 0.005 recon_programs
  • 0.005 antiemu_wine_func
  • 0.005 dynamic_function_loading
  • 0.005 antivm_vbox_keys
  • 0.004 exploit_getbasekerneladdress
  • 0.004 antivm_generic_services
  • 0.004 betabot_behavior
  • 0.004 exploit_gethaldispatchtable
  • 0.004 kibex_behavior
  • 0.004 exec_crash
  • 0.004 ransomware_message
  • 0.004 kovter_behavior
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 tinba_behavior
  • 0.003 antiav_avast_libs
  • 0.003 antianalysis_detectfile
  • 0.003 antivm_vmware_keys
  • 0.003 infostealer_bitcoin
  • 0.002 rat_nanocore
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 antidbg_windows
  • 0.002 vawtrak_behavior
  • 0.002 cerber_behavior
  • 0.002 antiav_bitdefender_libs
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vbox_files
  • 0.002 antivm_xen_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 darkcomet_regkeys
  • 0.002 recon_fingerprint
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 office_flash_load
  • 0.001 antivm_vmware_libs
  • 0.001 process_interest
  • 0.001 regsvr32_squiblydoo_dll_load
  • 0.001 shifu_behavior
  • 0.001 ursnif_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.702 seconds )

  • 0.702 CompressResults
Task ID 36424
Mongo ID 5c61d0adf284884f68b2da90
Cuckoo release 1.3-CAPE
Delete