Analysis

Category Package Started Completed Duration Options Log
FILE Injection 2019-08-13 15:47:00 2019-08-13 15:51:14 254 seconds Show Options Show Log
procmemdump = 1
import_reconstruction = 1
procdump = 0
route = internet
2019-08-13 16:47:06,000 [root] INFO: Date set to: 08-13-19, time set to: 15:47:06, timeout set to: 200
2019-08-13 16:47:06,217 [root] DEBUG: Starting analyzer from: C:\osuwnxuczd
2019-08-13 16:47:06,217 [root] DEBUG: Storing results at: C:\HcRMmVz
2019-08-13 16:47:06,217 [root] DEBUG: Pipe server name: \\.\PIPE\MRYwxuQ
2019-08-13 16:47:06,233 [root] INFO: Analysis package "Injection" has been specified.
2019-08-13 16:47:07,825 [root] DEBUG: Started auxiliary module Browser
2019-08-13 16:47:07,839 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 16:47:07,839 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 16:47:09,229 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 16:47:09,229 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 16:47:09,229 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 16:47:09,229 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 16:47:09,229 [root] DEBUG: Started auxiliary module Human
2019-08-13 16:47:09,243 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 16:47:09,243 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 16:47:09,243 [root] DEBUG: Started auxiliary module Usage
2019-08-13 16:47:09,243 [root] INFO: Analyzer: DLL set to Injection.dll from package modules.packages.Injection
2019-08-13 16:47:09,243 [root] INFO: Analyzer: DLL_64 set to Injection_x64.dll from package modules.packages.Injection
2019-08-13 16:47:09,306 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe" with arguments "" with pid 1844
2019-08-13 16:47:09,306 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:47:09,306 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:47:09,306 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:47:09,306 [lib.api.process] INFO: 32-bit DLL to inject is C:\osuwnxuczd\dll\getTpDt.dll, loader C:\osuwnxuczd\bin\KNQhYbn.exe
2019-08-13 16:47:09,338 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:47:09,338 [root] DEBUG: Loader: Injecting process 1844 (thread 2996) with C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:09,338 [root] DEBUG: Process image base: 0x00400000
2019-08-13 16:47:09,338 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:09,338 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004ED000 - 0x77380000
2019-08-13 16:47:09,338 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x004F0000.
2019-08-13 16:47:09,338 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:47:09,354 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:09,354 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1844
2019-08-13 16:47:11,365 [lib.api.process] INFO: Successfully resumed process with pid 1844
2019-08-13 16:47:11,365 [root] INFO: Added new process to list with pid: 1844
2019-08-13 16:47:11,490 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:47:11,490 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:47:11,490 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:47:11,490 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:47:11,599 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 1844 at 0x74af0000, image base 0x400000, stack from 0x186000-0x190000
2019-08-13 16:47:11,599 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:11,599 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:11,599 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:11,599 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:11,599 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe".
2019-08-13 16:47:11,615 [root] INFO: Monitor successfully loaded in process with pid 1844.
2019-08-13 16:47:11,647 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x03970000 to global list ().
2019-08-13 16:47:11,772 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-08-13 16:47:12,207 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-08-13 16:47:12,207 [root] DEBUG: DLL unloaded from 0x00400000.
2019-08-13 16:47:30,069 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x100 amd local view 0x75B20000 to global list (\KnownDlls32\SHELL32.dll).
2019-08-13 16:47:30,085 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-08-13 16:47:30,132 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 16:47:30,148 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2348, ImageBase: 0x00400000
2019-08-13 16:47:30,164 [root] INFO: Announced 32-bit process name: JJB-175325-_33001.exe pid: 2348
2019-08-13 16:47:30,164 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:47:30,164 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:47:30,164 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:47:30,164 [lib.api.process] INFO: 32-bit DLL to inject is C:\osuwnxuczd\dll\getTpDt.dll, loader C:\osuwnxuczd\bin\KNQhYbn.exe
2019-08-13 16:47:30,164 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:47:30,180 [root] DEBUG: Loader: Injecting process 2348 (thread 1880) with C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:30,180 [root] DEBUG: Process image base: 0x00400000
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004ED000 - 0x77380000
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x004F0000.
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:47:30,180 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:30,180 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2348
2019-08-13 16:47:30,180 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000ACED9 (process 2348).
2019-08-13 16:47:30,180 [root] INFO: Announced 32-bit process name: JJB-175325-_33001.exe pid: 2348
2019-08-13 16:47:30,180 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:47:30,180 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:47:30,180 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:47:30,180 [lib.api.process] INFO: 32-bit DLL to inject is C:\osuwnxuczd\dll\getTpDt.dll, loader C:\osuwnxuczd\bin\KNQhYbn.exe
2019-08-13 16:47:30,180 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:47:30,180 [root] DEBUG: Loader: Injecting process 2348 (thread 1880) with C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:30,180 [root] DEBUG: Process image base: 0x00400000
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004ACED9)
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:30,180 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-08-13 16:47:30,180 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\getTpDt.dll.
2019-08-13 16:47:30,180 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2348
2019-08-13 16:47:30,180 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2348, image base 0x00400000.
2019-08-13 16:47:30,180 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 16:47:30,180 [root] DEBUG: DumpProcess: Module entry point VA is 0x000ACED9.
2019-08-13 16:47:30,194 [root] INFO: Added new CAPE file to list with path: C:\osuwnxuczd\CAPE\1844_8522144483072013282019
2019-08-13 16:47:30,194 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xe9c00.
2019-08-13 16:47:30,194 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2019-08-13 16:47:30,194 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2348.
2019-08-13 16:47:30,194 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2348.
2019-08-13 16:47:30,194 [root] INFO: Notified of termination of process with pid 1844.
2019-08-13 16:47:30,194 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:47:30,210 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:47:30,210 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:47:30,210 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:47:30,226 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:30,226 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2348 at 0x74af0000, image base 0x400000, stack from 0x186000-0x190000
2019-08-13 16:47:30,226 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe".
2019-08-13 16:47:30,226 [root] INFO: Added new process to list with pid: 2348
2019-08-13 16:47:30,226 [root] INFO: Monitor successfully loaded in process with pid 2348.
2019-08-13 16:47:30,242 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x03B30000 to global list ().
2019-08-13 16:47:30,726 [lib.api.process] WARNING: Unable to find process dump for process 1844.
2019-08-13 16:47:30,726 [root] INFO: Process with pid 1844 has terminated
2019-08-13 16:47:37,589 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x75B20000 to global list (\KnownDlls32\SHELL32.dll).
2019-08-13 16:47:37,589 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-08-13 16:47:37,621 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-08-13 16:47:37,621 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x74780000 to global list ().
2019-08-13 16:47:37,621 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-08-13 16:47:37,621 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 amd local view 0x082C0000 to global list ().
2019-08-13 16:47:37,621 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x082C0000 to global list ().
2019-08-13 16:47:37,635 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x741D0000 for section view with handle 0x104 ().
2019-08-13 16:47:37,635 [root] DEBUG: DLL loaded at 0x741D0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5ab000 bytes).
2019-08-13 16:47:37,635 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74130000 for section view with handle 0x108 ().
2019-08-13 16:47:37,651 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2019-08-13 16:47:37,651 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2348, handle 0x114.
2019-08-13 16:47:37,651 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x00160000 to global list (\BaseNamedObjects\Cor_Private_IPCBlock_2348).
2019-08-13 16:47:37,667 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x118 amd local view 0x00170000 to global list (\BaseNamedObjects\Cor_Public_IPCBlock_2348).
2019-08-13 16:47:37,683 [root] DEBUG: DLL loaded at 0x74120000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 16:47:37,683 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 amd local view 0x73160000 to global list ().
2019-08-13 16:47:37,713 [root] DEBUG: DLL loaded at 0x73160000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni (0xaf8000 bytes).
2019-08-13 16:47:37,713 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-08-13 16:47:37,713 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d0 amd local view 0x035F0000 to global list ().
2019-08-13 16:47:37,713 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 16:47:37,730 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 16:47:37,760 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d4 amd local view 0x740C0000 to global list ().
2019-08-13 16:47:37,776 [root] DEBUG: DLL loaded at 0x740C0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2019-08-13 16:47:37,885 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e8 amd local view 0x0A550000 to global list ().
2019-08-13 16:47:38,026 [root] DEBUG: DLL loaded at 0x0A550000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni (0x79c000 bytes).
2019-08-13 16:47:38,026 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73F30000 for section view with handle 0x1e8 ().
2019-08-13 16:47:38,042 [root] DEBUG: DLL loaded at 0x73F30000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni (0x188000 bytes).
2019-08-13 16:47:38,042 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0ACF0000 for section view with handle 0x1e8 ().
2019-08-13 16:47:38,213 [root] DEBUG: DLL loaded at 0x0ACF0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni (0xbde000 bytes).
2019-08-13 16:47:38,338 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08030000 for section view with handle 0x1e8 ().
2019-08-13 16:47:38,369 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x08070000 to global list ().
2019-08-13 16:47:38,447 [root] DEBUG: DLL loaded at 0x73F10000: C:\Windows\system32\bcrypt (0x17000 bytes).
2019-08-13 16:47:38,526 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x73D70000 to global list ().
2019-08-13 16:47:38,556 [root] DEBUG: DLL loaded at 0x73D70000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni (0x19b000 bytes).
2019-08-13 16:47:38,650 [root] DEBUG: DLL loaded at 0x73D60000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-08-13 16:47:38,650 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 16:47:38,713 [root] DEBUG: DLL loaded at 0x71DA0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2019-08-13 16:47:38,775 [root] DEBUG: DLL loaded at 0x71D40000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2019-08-13 16:47:38,822 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-08-13 16:47:38,822 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-08-13 16:47:46,653 [root] INFO: Stopped WMI Service
2019-08-13 16:47:46,653 [root] INFO: Attaching to DcomLaunch service (pid 568)
2019-08-13 16:47:46,700 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:47:46,700 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:47:46,700 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:47:46,700 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:47:46,716 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:47:46,746 [root] DEBUG: Loader: Injecting process 568 (thread 0) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:46,746 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 16:47:46,762 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:47:46,778 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:47:46,778 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:47:46,778 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:47:46,778 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:46,871 [root] WARNING: Unable to place hook on LockResource
2019-08-13 16:47:46,871 [root] WARNING: Unable to hook LockResource
2019-08-13 16:47:46,934 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 568 at 0x0000000071C60000, image base 0x00000000FF8E0000, stack from 0x0000000001436000-0x0000000001440000
2019-08-13 16:47:46,934 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-08-13 16:47:46,934 [root] INFO: Added new process to list with pid: 568
2019-08-13 16:47:46,934 [root] INFO: Monitor successfully loaded in process with pid 568.
2019-08-13 16:47:46,964 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 16:47:46,980 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 16:47:46,980 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:49,039 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2500, handle 0x5ac.
2019-08-13 16:47:51,552 [root] INFO: Started WMI Service
2019-08-13 16:47:51,552 [root] INFO: Attaching to WMI service (pid 2500)
2019-08-13 16:47:51,566 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:47:51,566 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:47:51,566 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:47:51,566 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:47:51,566 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:47:51,566 [root] DEBUG: Loader: Injecting process 2500 (thread 0) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:51,566 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 16:47:51,566 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:47:51,582 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:47:51,598 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:47:51,598 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:47:51,644 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:51,661 [root] WARNING: Unable to place hook on LockResource
2019-08-13 16:47:51,661 [root] WARNING: Unable to hook LockResource
2019-08-13 16:47:51,661 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 2500 at 0x0000000071C60000, image base 0x00000000FF8E0000, stack from 0x0000000001636000-0x0000000001640000
2019-08-13 16:47:51,661 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-08-13 16:47:51,661 [root] INFO: Added new process to list with pid: 2500
2019-08-13 16:47:51,661 [root] INFO: Monitor successfully loaded in process with pid 2500.
2019-08-13 16:47:51,661 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 16:47:51,676 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 16:47:51,676 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:53,720 [root] DEBUG: DLL loaded at 0x73D50000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2019-08-13 16:47:53,798 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\wbem\wmiutils (0x17000 bytes).
2019-08-13 16:47:53,891 [root] DEBUG: DLL loaded at 0x000007FEFA3E0000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-08-13 16:47:53,891 [root] DEBUG: DLL loaded at 0x000007FEFB3B0000: C:\Windows\system32\ATL (0x19000 bytes).
2019-08-13 16:47:53,923 [root] DEBUG: DLL loaded at 0x000007FEFA3A0000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-08-13 16:47:54,016 [root] DEBUG: DLL loaded at 0x000007FEFAA30000: C:\Windows\system32\samcli (0x14000 bytes).
2019-08-13 16:47:54,048 [root] DEBUG: DLL loaded at 0x000007FEFBA90000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-08-13 16:47:54,062 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 16:47:54,078 [root] DEBUG: DLL loaded at 0x000007FEFB340000: C:\Windows\system32\es (0x67000 bytes).
2019-08-13 16:47:54,109 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-08-13 16:47:54,157 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-08-13 16:47:54,171 [root] DEBUG: DLL loaded at 0x000007FEF97D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-08-13 16:47:54,187 [root] DEBUG: DLL loaded at 0x000007FEF9C60000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-08-13 16:47:54,187 [root] DEBUG: DLL loaded at 0x000007FEF9BE0000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-08-13 16:47:54,203 [root] DEBUG: DLL unloaded from 0x000007FEF9840000.
2019-08-13 16:47:54,203 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-08-13 16:47:54,219 [root] DEBUG: DLL loaded at 0x73D10000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2019-08-13 16:47:54,250 [root] DEBUG: DLL loaded at 0x71BC0000: C:\Windows\system32\wbem\fastprox (0x96000 bytes).
2019-08-13 16:47:54,266 [root] DEBUG: DLL loaded at 0x71BA0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2019-08-13 16:47:54,266 [root] DEBUG: DLL loaded at 0x000007FEFCD30000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-08-13 16:47:54,312 [root] DEBUG: DLL loaded at 0x000007FEFA5B0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-08-13 16:47:54,312 [root] DEBUG: DLL loaded at 0x000007FEF99A0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-08-13 16:47:54,328 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-08-13 16:47:54,328 [root] DEBUG: DLL loaded at 0x000007FEFCD70000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-08-13 16:47:54,344 [root] DEBUG: DLL unloaded from 0x000007FEFCD70000.
2019-08-13 16:47:54,594 [root] DEBUG: DLL loaded at 0x000007FEF8380000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-08-13 16:47:54,608 [root] DEBUG: DLL loaded at 0x000007FEF8360000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-08-13 16:47:54,640 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 568, handle 0x2a4.
2019-08-13 16:47:54,655 [root] DEBUG: DLL loaded at 0x000007FEF9E00000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-08-13 16:47:54,703 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2019-08-13 16:47:54,812 [root] DEBUG: DLL loaded at 0x71B30000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-08-13 16:47:54,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c0 amd local view 0x080D0000 to global list ().
2019-08-13 16:47:54,858 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2b0 amd local view 0x0C100000 to global list ().
2019-08-13 16:47:54,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c8 amd local view 0x71AF0000 to global list ().
2019-08-13 16:47:54,951 [root] DEBUG: DLL loaded at 0x71AF0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni (0x3a000 bytes).
2019-08-13 16:47:54,951 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x60350000 for section view with handle 0x2c8 ().
2019-08-13 16:47:54,951 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08260000 for section view with handle 0x2c8 ().
2019-08-13 16:47:54,967 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2d4 amd local view 0x60350000 to global list ().
2019-08-13 16:47:54,967 [root] DEBUG: DLL loaded at 0x60350000: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x15000 bytes).
2019-08-13 16:47:54,967 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2d8 amd local view 0x0BCD0000 to global list ().
2019-08-13 16:47:54,967 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0BCD0000 for section view with handle 0x2d4 ().
2019-08-13 16:47:54,999 [root] DEBUG: DLL loaded at 0x000007FEFBAC0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-08-13 16:47:55,154 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2892, ImageBase: 0x00000000FF260000
2019-08-13 16:47:55,154 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2892
2019-08-13 16:47:55,154 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:47:55,154 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:47:55,154 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:47:55,154 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:47:55,186 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:47:55,186 [root] DEBUG: Loader: Injecting process 2892 (thread 2228) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:55,186 [root] DEBUG: Process image base: 0x00000000FF260000
2019-08-13 16:47:55,186 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:55,186 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF2BF000 - 0x000007FEFF6A0000
2019-08-13 16:47:55,186 [root] DEBUG: InjectDllViaIAT: Allocated 0x238 bytes for new import table at 0x00000000FF2C0000.
2019-08-13 16:47:55,186 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:47:55,186 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:47:55,186 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2892
2019-08-13 16:47:55,201 [root] DEBUG: DuplicationHandler: Failed to find section view with source handle 0x5f0.
2019-08-13 16:47:55,201 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:47:55,201 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:47:55,201 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:47:55,201 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:47:55,249 [root] INFO: Disabling sleep skipping.
2019-08-13 16:47:55,296 [root] WARNING: Unable to place hook on LockResource
2019-08-13 16:47:55,296 [root] WARNING: Unable to hook LockResource
2019-08-13 16:47:55,342 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 2892 at 0x0000000071C60000, image base 0x00000000FF260000, stack from 0x0000000000150000-0x0000000000160000
2019-08-13 16:47:55,342 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -secured -Embedding.
2019-08-13 16:47:55,342 [root] INFO: Added new process to list with pid: 2892
2019-08-13 16:47:55,342 [root] INFO: Monitor successfully loaded in process with pid 2892.
2019-08-13 16:47:55,451 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x00000000022A0000 to global list ().
2019-08-13 16:47:55,483 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 16:47:55,513 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 16:47:55,561 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 16:47:55,700 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 16:47:55,717 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x14c amd local view 0x00000000001B0000 to global list (\BaseNamedObjects\Wmi Provider Sub System Counters).
2019-08-13 16:47:55,809 [root] DEBUG: DLL loaded at 0x000007FEFA1D0000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-08-13 16:47:55,888 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 16:47:55,950 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 16:47:55,997 [root] DEBUG: DLL loaded at 0x000007FEFD270000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-08-13 16:47:56,700 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-08-13 16:47:56,964 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2892, handle 0xa750.
2019-08-13 16:47:57,058 [root] DEBUG: DLL loaded at 0x000007FEFA5B0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-08-13 16:47:59,803 [root] DEBUG: DLL loaded at 0x000007FEF3BF0000: C:\Windows\system32\wbem\cimwin32 (0x1fa000 bytes).
2019-08-13 16:47:59,803 [root] DEBUG: DLL loaded at 0x000007FEF3E10000: C:\Windows\system32\framedynos (0x4c000 bytes).
2019-08-13 16:47:59,803 [root] DEBUG: DLL loaded at 0x000007FEFB2A0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2019-08-13 16:48:01,177 [root] DEBUG: DLL loaded at 0x0000000071AE0000: C:\Windows\system32\WMI (0x3000 bytes).
2019-08-13 16:48:01,660 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2e4 amd local view 0x0BCD0000 to global list ().
2019-08-13 16:48:01,832 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x719D0000 for section view with handle 0x2d4 ().
2019-08-13 16:48:01,862 [root] DEBUG: DLL loaded at 0x719D0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni (0x104000 bytes).
2019-08-13 16:48:02,861 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x328 amd local view 0x6A310000 to global list ().
2019-08-13 16:48:02,940 [root] DEBUG: DLL loaded at 0x6A310000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils (0x9000 bytes).
2019-08-13 16:48:03,345 [root] DEBUG: DLL unloaded from 0x000007FEF9840000.
2019-08-13 16:48:07,681 [root] DEBUG: DLL unloaded from 0x0000000071AE0000.
2019-08-13 16:48:08,336 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 16:48:28,928 [root] DEBUG: DLL loaded at 0x000007FEFA990000: C:\Windows\System32\perfos (0xb000 bytes).
2019-08-13 16:48:48,974 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-08-13 16:48:54,871 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x334 amd local view 0x0BD80000 to global list ().
2019-08-13 16:48:54,903 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 amd local view 0x0BD80000 to global list ().
2019-08-13 16:49:15,448 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x390 amd local view 0x0BD90000 to global list (\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0).
2019-08-13 16:49:15,588 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x398 amd local view 0x718D0000 to global list ().
2019-08-13 16:49:15,683 [root] DEBUG: DLL loaded at 0x718D0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271\System.Configuration.ni (0xf1000 bytes).
2019-08-13 16:49:15,854 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x71390000 for section view with handle 0x398 ().
2019-08-13 16:49:15,947 [root] DEBUG: DLL loaded at 0x71390000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni (0x536000 bytes).
2019-08-13 16:49:16,151 [root] DEBUG: DLL loaded at 0x74D40000: C:\Windows\system32\rasapi32 (0x52000 bytes).
2019-08-13 16:49:16,243 [root] DEBUG: DLL loaded at 0x74D20000: C:\Windows\system32\rasman (0x15000 bytes).
2019-08-13 16:49:16,400 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-08-13 16:49:16,525 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-08-13 16:49:16,634 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-08-13 16:49:16,743 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-08-13 16:49:16,946 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x428 amd local view 0x0C6C0000 to global list (\BaseNamedObjects\netfxcustomperfcounters.1.0.net clr networking).
2019-08-13 16:49:17,101 [root] DEBUG: DLL unloaded from 0x74D20000.
2019-08-13 16:49:17,569 [root] DEBUG: DLL loaded at 0x71330000: C:\Windows\system32\winhttp (0x58000 bytes).
2019-08-13 16:49:17,742 [root] DEBUG: DLL loaded at 0x712E0000: C:\Windows\system32\webio (0x4f000 bytes).
2019-08-13 16:49:17,898 [root] DEBUG: DLL loaded at 0x712C0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2019-08-13 16:49:18,038 [root] DEBUG: DLL loaded at 0x71AE0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-08-13 16:49:18,178 [root] DEBUG: DLL loaded at 0x712B0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-08-13 16:49:18,288 [root] DEBUG: DLL loaded at 0x71290000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-08-13 16:49:18,335 [root] DEBUG: DLL unloaded from 0x77560000.
2019-08-13 16:49:18,474 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 16:49:18,490 [root] DEBUG: DLL loaded at 0x71280000: C:\Windows\system32\credssp (0x8000 bytes).
2019-08-13 16:49:18,490 [root] DEBUG: DLL unloaded from 0x74F80000.
2019-08-13 16:49:18,569 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 16:49:18,647 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-08-13 16:49:18,661 [root] DEBUG: DLL loaded at 0x71270000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-08-13 16:49:21,095 [root] DEBUG: DLL loaded at 0x71230000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-08-13 16:49:21,142 [root] DEBUG: DLL unloaded from 0x71230000.
2019-08-13 16:49:21,142 [root] DEBUG: DLL loaded at 0x71220000: C:\Windows\system32\shfolder (0x5000 bytes).
2019-08-13 16:49:21,361 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x56c amd local view 0x60340000 to global list ().
2019-08-13 16:49:21,407 [root] DEBUG: DLL loaded at 0x60340000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2019-08-13 16:49:21,438 [root] DEBUG: DLL unloaded from 0x60340000.
2019-08-13 16:49:21,486 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0CC60000 for section view with handle 0x56c ().
2019-08-13 16:49:21,563 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0BDB0000 for section view with handle 0x56c ().
2019-08-13 16:49:21,657 [root] DEBUG: DLL loaded at 0x707A0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 16:49:21,703 [root] DEBUG: DLL loaded at 0x70760000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 16:49:21,750 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 16:49:21,845 [root] DEBUG: DLL loaded at 0x705C0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 16:49:21,969 [root] DEBUG: DLL loaded at 0x70590000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-08-13 16:49:22,046 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 16:49:22,094 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 16:49:22,094 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 16:49:22,141 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 16:49:22,157 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5ac amd local view 0x0CC40000 to global list (\Sessions\1\BaseNamedObjects\C:_Users_user_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_65536).
2019-08-13 16:49:22,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5b8 amd local view 0x0CCE0000 to global list (\Sessions\1\BaseNamedObjects\C:_Users_user_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_32768).
2019-08-13 16:49:22,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5c4 amd local view 0x0CCF0000 to global list (\Sessions\1\BaseNamedObjects\C:_Users_user_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_32768).
2019-08-13 16:49:22,280 [root] DEBUG: DLL loaded at 0x70580000: C:\Windows\system32\vaultcli (0xc000 bytes).
2019-08-13 16:49:22,280 [root] DEBUG: DLL unloaded from 0x751E0000.
2019-08-13 16:49:22,437 [root] INFO: Announced starting service "VaultSvc"
2019-08-13 16:49:22,437 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-08-13 16:49:22,437 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:49:22,437 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:49:22,437 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:49:22,437 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:49:22,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:49:22,780 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:49:22,812 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2568, handle 0x84
2019-08-13 16:49:22,826 [root] DEBUG: Process image base: 0x00000000FFAB0000
2019-08-13 16:49:22,858 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-08-13 16:49:22,904 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-08-13 16:49:22,951 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:49:22,951 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:49:22,951 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:49:22,999 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:49:23,046 [root] INFO: Disabling sleep skipping.
2019-08-13 16:49:23,046 [root] WARNING: Unable to place hook on LockResource
2019-08-13 16:49:23,046 [root] WARNING: Unable to hook LockResource
2019-08-13 16:49:23,092 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 460 at 0x0000000071C60000, image base 0x00000000FFAB0000, stack from 0x0000000000FA6000-0x0000000000FB0000
2019-08-13 16:49:23,092 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-08-13 16:49:23,092 [root] INFO: Added new process to list with pid: 460
2019-08-13 16:49:23,092 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-08-13 16:49:23,092 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 16:49:23,138 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 16:49:23,138 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:49:24,263 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2019-08-13 16:49:24,263 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1848, ImageBase: 0x00000000FF460000
2019-08-13 16:49:24,309 [root] INFO: Announced 64-bit process name: lsass.exe pid: 1848
2019-08-13 16:49:24,309 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:49:24,309 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:49:24,309 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:49:24,309 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:49:24,559 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:49:24,559 [root] DEBUG: Loader: Injecting process 1848 (thread 2224) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:49:24,575 [root] DEBUG: Process image base: 0x00000000FF460000
2019-08-13 16:49:24,575 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:49:24,575 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF46C000 - 0x000007FEFF6A0000
2019-08-13 16:49:24,605 [root] DEBUG: InjectDllViaIAT: Allocated 0x2a4 bytes for new import table at 0x00000000FF470000.
2019-08-13 16:49:24,653 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:49:24,698 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:49:24,698 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1848
2019-08-13 16:49:24,746 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 1848, image base 0x00000000FF460000.
2019-08-13 16:49:24,746 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF460000.
2019-08-13 16:49:24,792 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001850.
2019-08-13 16:49:24,809 [root] INFO: Added new CAPE file to list with path: C:\osuwnxuczd\CAPE\460_8504867772492013282019
2019-08-13 16:49:24,839 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x7800.
2019-08-13 16:49:24,901 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2019-08-13 16:49:24,933 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1848.
2019-08-13 16:49:24,980 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1848.
2019-08-13 16:49:24,980 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-08-13 16:49:25,026 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:49:25,026 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:49:25,073 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:49:25,088 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:49:25,121 [root] INFO: Disabling sleep skipping.
2019-08-13 16:49:25,167 [root] WARNING: Unable to place hook on LockResource
2019-08-13 16:49:25,198 [root] WARNING: Unable to hook LockResource
2019-08-13 16:49:25,244 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 1848 at 0x0000000071C60000, image base 0x00000000FF460000, stack from 0x00000000000E4000-0x00000000000F0000
2019-08-13 16:49:25,244 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2019-08-13 16:49:25,292 [root] INFO: Added new process to list with pid: 1848
2019-08-13 16:49:25,292 [root] INFO: Monitor successfully loaded in process with pid 1848.
2019-08-13 16:49:55,026 [root] INFO: Notified of termination of process with pid 1848.
2019-08-13 16:49:55,711 [root] DEBUG: DLL loaded at 0x70550000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2019-08-13 16:49:55,743 [root] DEBUG: DLL loaded at 0x70530000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2019-08-13 16:49:55,759 [lib.api.process] WARNING: Unable to find process dump for process 1848.
2019-08-13 16:49:55,759 [root] INFO: Process with pid 1848 has terminated
2019-08-13 16:49:55,775 [root] DEBUG: DLL loaded at 0x70500000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2019-08-13 16:49:55,775 [root] DEBUG: DLL loaded at 0x704F0000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2019-08-13 16:49:55,789 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x604 amd local view 0x0BC10000 to global list ().
2019-08-13 16:50:04,963 [root] INFO: Announced 32-bit process name:  pid: 134349580
2019-08-13 16:50:04,979 [lib.api.process] WARNING: The process with pid 134349580 is not alive, injection aborted
2019-08-13 16:50:05,025 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x488 amd local view 0x0D1C0000 to global list (\BaseNamedObjects\NLS_CodePage_437_3_2_0_0).
2019-08-13 16:50:10,423 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2676, ImageBase: 0x00000000FF880000
2019-08-13 16:50:10,796 [modules.auxiliary.screenshots] ERROR: Cannot take screenshot: screen grab failed
2019-08-13 16:50:11,016 [root] INFO: Announced 64-bit process name: taskhost.exe pid: 2676
2019-08-13 16:50:11,421 [root] ERROR: Traceback (most recent call last):
  File "C:\osuwnxuczd\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\osuwnxuczd\lib\core\log.py", line 61, in handle_logs
    data += buf.raw[:bytes_read.value]
MemoryError
Traceback (most recent call last):
  File "C:\osuwnxuczd\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\osuwnxuczd\lib\core\log.py", line 61, in handle_logs
    data += buf.raw[:bytes_read.value]
MemoryError
2019-08-13 16:50:17,957 [modules.auxiliary.screenshots] ERROR: Cannot take screenshot: screen grab failed
2019-08-13 16:50:17,957 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:50:17,957 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:50:17,973 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:50:17,973 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:50:21,390 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:50:21,421 [root] DEBUG: Loader: Injecting process 2676 (thread 2780) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:21,515 [root] DEBUG: DLL unloaded from 0x71330000.
2019-08-13 16:50:21,546 [root] DEBUG: Process image base: 0x00000000FF880000
2019-08-13 16:50:21,638 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:21,749 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF894000 - 0x000007FEFF6A0000
2019-08-13 16:50:21,920 [root] DEBUG: InjectDllViaIAT: Allocated 0x238 bytes for new import table at 0x00000000FF8A0000.
2019-08-13 16:50:21,936 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:50:22,107 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:22,217 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2676
2019-08-13 16:50:22,372 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2676, image base 0x00000000FF880000.
2019-08-13 16:50:22,543 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF880000.
2019-08-13 16:50:22,763 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000002CE0.
2019-08-13 16:50:23,371 [root] INFO: Added new CAPE file to list with path: C:\osuwnxuczd\CAPE\460_151398650422102013282019
2019-08-13 16:50:23,822 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x10c00.
2019-08-13 16:50:24,104 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2019-08-13 16:50:24,181 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2676.
2019-08-13 16:50:24,306 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2676.
2019-08-13 16:50:24,540 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:50:24,961 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:50:25,164 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:50:25,211 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:50:25,585 [root] DEBUG: DLL unloaded from 0x000007FEFE500000.
2019-08-13 16:50:26,085 [root] INFO: Announced starting service "WerSvc"
2019-08-13 16:50:26,085 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup.
2019-08-13 16:50:26,085 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1440, ImageBase: 0x00000000FF8E0000
2019-08-13 16:50:26,117 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1440
2019-08-13 16:50:26,117 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:50:26,117 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:50:26,117 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:50:26,117 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:50:26,148 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:50:26,148 [root] DEBUG: Loader: Injecting process 1440 (thread 836) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:26,163 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-08-13 16:50:26,163 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:26,178 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF8EB000 - 0x000007FEFF6A0000
2019-08-13 16:50:26,178 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FF8F0000.
2019-08-13 16:50:26,178 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:50:26,178 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:26,178 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1440
2019-08-13 16:50:26,178 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 1440, image base 0x00000000FF8E0000.
2019-08-13 16:50:26,194 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF8E0000.
2019-08-13 16:50:26,226 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2019-08-13 16:50:26,397 [root] INFO: Added new CAPE file to list with path: C:\osuwnxuczd\CAPE\460_147343142426102013282019
2019-08-13 16:50:26,413 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2019-08-13 16:50:26,413 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2019-08-13 16:50:26,444 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1440.
2019-08-13 16:50:26,444 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1440.
2019-08-13 16:50:26,460 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:50:26,474 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:50:26,474 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:50:26,474 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:50:38,003 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-08-13 16:50:41,654 [root] INFO: Announced starting service "WerSvc"
2019-08-13 16:50:41,670 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup.
2019-08-13 16:50:41,670 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2196, ImageBase: 0x00000000FF8E0000
2019-08-13 16:50:41,684 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2196
2019-08-13 16:50:41,684 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 16:50:41,684 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2019-08-13 16:50:41,684 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 16:50:41,700 [lib.api.process] INFO: 64-bit DLL to inject is C:\osuwnxuczd\dll\SbTJImQg.dll, loader C:\osuwnxuczd\bin\CqNLwQDl.exe
2019-08-13 16:50:41,763 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MRYwxuQ.
2019-08-13 16:50:41,779 [root] DEBUG: Loader: Injecting process 2196 (thread 2716) with C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:41,779 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-08-13 16:50:41,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:41,795 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF8EB000 - 0x000007FEFF6A0000
2019-08-13 16:50:41,795 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FF8F0000.
2019-08-13 16:50:41,795 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 16:50:41,809 [root] DEBUG: Successfully injected DLL C:\osuwnxuczd\dll\SbTJImQg.dll.
2019-08-13 16:50:41,809 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2196
2019-08-13 16:50:41,809 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2196, image base 0x00000000FF8E0000.
2019-08-13 16:50:41,825 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF8E0000.
2019-08-13 16:50:41,857 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2019-08-13 16:50:41,888 [root] INFO: Added new CAPE file to list with path: C:\osuwnxuczd\CAPE\460_136431619141102013282019
2019-08-13 16:50:41,888 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2019-08-13 16:50:41,918 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2019-08-13 16:50:41,918 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2196.
2019-08-13 16:50:41,918 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2196.
2019-08-13 16:50:41,950 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 16:50:41,950 [root] DEBUG: Process memory dumps disabled.
2019-08-13 16:50:41,966 [root] DEBUG: Import reconstruction of process dumps enabled.
2019-08-13 16:50:42,043 [root] DEBUG: CAPE debug - unrecognised key procmemdump.
2019-08-13 16:50:45,648 [root] DEBUG: DLL loaded at 0x704E0000: C:\Windows\system32\security (0x3000 bytes).
2019-08-13 16:50:45,663 [root] DEBUG: DLL loaded at 0x704D0000: C:\Windows\system32\SECUR32 (0x8000 bytes).
2019-08-13 16:50:45,694 [root] DEBUG: DLL loaded at 0x70490000: C:\Windows\SysWOW64\schannel (0x3a000 bytes).
2019-08-13 16:50:45,756 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 16:50:45,756 [root] INFO: Created shutdown mutex.
2019-08-13 16:50:45,913 [root] DEBUG: DLL loaded at 0x70450000: C:\Windows\system32\ncrypt (0x38000 bytes).
2019-08-13 16:50:45,990 [root] DEBUG: DLL loaded at 0x70410000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2019-08-13 16:50:46,115 [root] DEBUG: DLL loaded at 0x703F0000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 16:50:46,177 [root] DEBUG: DLL loaded at 0x703D0000: C:\Windows\system32\GPAPI (0x16000 bytes).
2019-08-13 16:50:46,302 [root] DEBUG: DLL loaded at 0x703B0000: C:\Windows\system32\cryptnet (0x1c000 bytes).
2019-08-13 16:50:46,319 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 16:50:46,334 [root] DEBUG: DLL loaded at 0x703A0000: C:\Windows\system32\SensApi (0x6000 bytes).
2019-08-13 16:50:46,459 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\setupapi (0x19d000 bytes).
2019-08-13 16:50:46,506 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 16:50:46,584 [root] DEBUG: DLL loaded at 0x70380000: C:\Windows\system32\Cabinet (0x15000 bytes).
2019-08-13 16:50:46,598 [root] DEBUG: DLL loaded at 0x70370000: C:\Windows\system32\DEVRTL (0xe000 bytes).
2019-08-13 16:50:46,677 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-08-13 16:50:46,770 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2348
2019-08-13 16:50:46,770 [root] INFO: Terminate event set for process 2348.
2019-08-13 16:50:46,770 [root] INFO: Terminating process 2348 before shutdown.
2019-08-13 16:50:46,770 [root] INFO: Waiting for process 2348 to exit.
2019-08-13 16:50:46,957 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\setupapi (0x19d000 bytes).
2019-08-13 16:50:46,973 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 16:50:47,052 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 16:50:47,114 [root] DEBUG: DLL unloaded from 0x77560000.
2019-08-13 16:50:47,144 [root] DEBUG: DLL unloaded from 0x71330000.
2019-08-13 16:50:47,177 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x798 amd local view 0x0BC40000 to global list ().
2019-08-13 16:50:47,191 [root] DEBUG: DLL unloaded from 0x77560000.
2019-08-13 16:50:47,207 [root] DEBUG: DLL unloaded from 0x71330000.
2019-08-13 16:50:47,441 [root] DEBUG: DLL unloaded from 0x703B0000.
2019-08-13 16:50:47,489 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\setupapi (0x19d000 bytes).
2019-08-13 16:50:47,489 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 16:50:47,535 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-08-13 16:50:47,785 [root] INFO: Waiting for process 2348 to exit.
2019-08-13 16:50:47,832 [root] DEBUG: DLL unloaded from 0x77560000.
2019-08-13 16:50:47,862 [root] DEBUG: DLL unloaded from 0x71330000.
2019-08-13 16:50:47,878 [root] DEBUG: DLL unloaded from 0x77560000.
2019-08-13 16:50:47,910 [root] DEBUG: DLL unloaded from 0x71330000.
2019-08-13 16:50:47,971 [root] DEBUG: DLL unloaded from 0x703B0000.
2019-08-13 16:50:48,799 [root] INFO: Waiting for process 2348 to exit.
2019-08-13 16:50:49,812 [root] INFO: Waiting for process 2348 to exit.
2019-08-13 16:50:50,826 [lib.api.process] INFO: Successfully terminated process with pid 2348.
2019-08-13 16:50:50,826 [root] INFO: Waiting for process 2348 to exit.
2019-08-13 16:50:51,841 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2892
2019-08-13 16:50:51,841 [root] INFO: Terminate event set for process 2892.
2019-08-13 16:50:51,841 [root] INFO: Terminating process 2892 before shutdown.
2019-08-13 16:50:51,841 [root] INFO: Waiting for process 2892 to exit.
2019-08-13 16:50:52,855 [root] INFO: Waiting for process 2892 to exit.
2019-08-13 16:50:53,868 [root] INFO: Waiting for process 2892 to exit.
2019-08-13 16:50:54,882 [root] INFO: Waiting for process 2892 to exit.
2019-08-13 16:50:55,897 [lib.api.process] INFO: Successfully terminated process with pid 2892.
2019-08-13 16:50:55,944 [root] INFO: Waiting for process 2892 to exit.
2019-08-13 16:50:56,957 [root] INFO: Shutting down package.
2019-08-13 16:50:56,973 [lib.api.process] WARNING: Unable to find process dump for process 2348.
2019-08-13 16:50:56,989 [lib.api.process] WARNING: Unable to find process dump for process 568.
2019-08-13 16:50:57,005 [lib.api.process] WARNING: Unable to find process dump for process 2500.
2019-08-13 16:50:57,019 [lib.api.process] WARNING: Unable to find process dump for process 2892.
2019-08-13 16:50:57,036 [lib.api.process] WARNING: Unable to find process dump for process 460.
2019-08-13 16:50:57,036 [root] INFO: Stopping auxiliary modules.
2019-08-13 16:50:57,098 [root] INFO: Finishing auxiliary modules.
2019-08-13 16:50:57,161 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 16:50:57,161 [root] WARNING: File at path "C:\HcRMmVz\debugger" does not exist, skip.
2019-08-13 16:50:57,161 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup.
2019-08-13 16:50:57,161 [root] WARNING: Monitor injection attempted but failed for process 134349580.
2019-08-13 16:50:57,176 [root] WARNING: Monitor injection attempted but failed for process 2676.
2019-08-13 16:50:57,176 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2884, ImageBase: 0x00000000FF8E0000
2019-08-13 16:50:57,176 [root] WARNING: Monitor injection attempted but failed for process 1440.
2019-08-13 16:50:57,176 [root] WARNING: Monitor injection attempted but failed for process 2196.
2019-08-13 16:50:57,176 [root] INFO: Analysis completed.
2019-08-13 16:50:57,176 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2884, image base 0x00000000FF8E0000.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-08-13 15:47:00 2019-08-13 15:51:09

File Details

File Name JJB-175325-#33001.exe
File Size 966656 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6a237f3a634fe7697150c1aceb4849e8
SHA1 466eddb76b322d5252689ebd5de8e3b37adbde9e
SHA256 2274f0b2e9370ac7e7e7777c34766c09b09ef528fbbf6a6b04e1291e69ff6bd6
SHA512 b6b121a08d95c6b8741e10d292b0e8e63ae94120b4d27d8160c64caf1833eb369c943fdd2a3d785466c4d939dc65b75b27cbaf79b5e48f6a3a9d5f468fd40198
CRC32 04BE684F
Ssdeep 12288:44IitFNVMfBetcCzJ4iQSYPSYA3ekunqAI+jeXBaG02d3L:44IidVUeuCHQSASe03
TrID
  • 88.6% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
  • 4.8% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.1% (.EXE) OS/2 Executable (generic) (2029/13)
  • 2.1% (.EXE) Generic Win/DOS Executable (2002/3)
  • 2.1% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (1 unique times)
IP: 72.247.177.161:80 (Netherlands)
Possible date expiration check, exits too soon after checking local time
process: JJB-175325-_33001.exe, PID 1844
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: JJB-175325-_33001.exe tried to sleep 776 seconds, actually delayed analysis time by 0 seconds
Process: WmiPrvSE.exe tried to sleep 302 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: kernel32.dll/RtlMoveMemory
DynamicLoader: kernel32.dll/EnumUILanguagesA
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/FreeResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/FreeEnvironmentStringsA
DynamicLoader: kernel32.dll/GetEnvironmentStrings
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/CompareStringA
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/WriteConsoleA
DynamicLoader: kernel32.dll/GetConsoleOutputCP
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/CLRCreateInstance
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.DLL/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorImageUnloading
DynamicLoader: mscoree.dll/_CorValidateImage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: OLEAUT32.dll/VariantInit
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: kernel32.dll/LoadLibrary
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: kernel32.dll/ZeroMemory
DynamicLoader: kernel32.dll/ZeroMemoryA
DynamicLoader: kernel32.dll/RtlZeroMemory
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/GetModuleHandle
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: rasapi32.dll/RasEnumConnections
DynamicLoader: rasapi32.dll/RasEnumConnectionsW
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSASocket
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptor
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateFileMapping
DynamicLoader: kernel32.dll/CreateFileMappingW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: ADVAPI32.dll/CreateWellKnownSidW
DynamicLoader: kernel32.dll/CreateMutex
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/OpenMutex
DynamicLoader: kernel32.dll/OpenMutexW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: kernel32.dll/GetProcessTimes
DynamicLoader: kernel32.dll/GetProcessTimesW
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: kernel32.dll/FormatMessage
DynamicLoader: kernel32.dll/FormatMessageW
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: rasapi32.dll/RasConnectionNotification
DynamicLoader: rasapi32.dll/RasConnectionNotificationW
DynamicLoader: ADVAPI32.dll/RegOpenCurrentUser
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: winhttp.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: winhttp.dll/WinHttpDetectAutoProxyConfigUrl
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: IPHLPAPI.DLL/GetNetworkParams
DynamicLoader: DNSAPI.dll/DnsQueryConfig
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: IPHLPAPI.DLL/GetIpInterfaceEntry
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/inet_addr
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/WSAConnect
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: WS2_32.dll/send
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/recv
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/FindFirstUrlCacheEntryA
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: shell32.DLL/SHGetFolderPathW
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/SetWindowsHookEx
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/SetClipboardViewerW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleGetClipboard
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/IsWindowUnicode
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/GetTempPath
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: WS2_32.dll/shutdown
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/GlobalMemoryStatusExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: kernel32.dll/CreateSemaphore
DynamicLoader: kernel32.dll/CreateSemaphoreA
DynamicLoader: security.dll/EnumerateSecurityPackagesW
DynamicLoader: security.dll/FreeContextBuffer
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrlenWW
DynamicLoader: kernel32.dll/RtlMoveMemory
DynamicLoader: kernel32.dll/RtlMoveMemoryW
DynamicLoader: security.dll/FreeCredentialsHandle
DynamicLoader: security.dll/AcquireCredentialsHandleW
DynamicLoader: schannel.dll/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: security.dll/DeleteSecurityContext
DynamicLoader: security.dll/InitializeSecurityContextW
DynamicLoader: SECUR32.DLL/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: security.dll/QueryContextAttributesW
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContextW
DynamicLoader: CRYPT32.dll/CertCloseStore
DynamicLoader: CRYPT32.dll/CertDuplicateStore
DynamicLoader: CRYPT32.dll/CertDuplicateStoreW
DynamicLoader: CRYPT32.dll/CertEnumCertificatesInStore
DynamicLoader: CRYPT32.dll/CertEnumCertificatesInStoreW
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertOpenStore
DynamicLoader: CRYPT32.dll/CertOpenStoreW
DynamicLoader: CRYPT32.dll/CertAddCertificateLinkToStore
DynamicLoader: CRYPT32.dll/CertAddCertificateLinkToStoreW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: CRYPT32.dll/CertGetCertificateChainW
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: Cabinet.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptSetHashParam
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: Cabinet.dll/
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpSetOption
DynamicLoader: winhttp.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: winhttp.dll/WinHttpConnect
DynamicLoader: winhttp.dll/WinHttpOpenRequest
DynamicLoader: winhttp.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: winhttp.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: winhttp.dll/WinHttpGetProxyForUrl
DynamicLoader: winhttp.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: winhttp.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: winhttp.dll/WinHttpReceiveResponse
DynamicLoader: winhttp.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: winhttp.dll/WinHttpQueryDataAvailable
DynamicLoader: winhttp.dll/WinHttpReadData
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: cryptnet.dll/I_CryptNetSetUrlCacheFlushInfo
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: Cabinet.dll/
DynamicLoader: cryptnet.dll/I_CryptNetSetUrlCachePreFetchInfo
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChainW
DynamicLoader: mscoree.dll/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicyW
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: security.dll/EncryptMessage
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: security.dll/DecryptMessage
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/IsThreadAFiber
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ADVAPI32.dll/LogonUserExExW
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: WMI.DLL/WmiQueryAllDataW
DynamicLoader: WMI.DLL/WmiQuerySingleInstanceW
DynamicLoader: WMI.DLL/WmiSetSingleItemW
DynamicLoader: WMI.DLL/WmiSetSingleInstanceW
DynamicLoader: WMI.DLL/WmiExecuteMethodW
DynamicLoader: WMI.DLL/WmiNotificationRegistrationW
DynamicLoader: WMI.DLL/WmiMofEnumerateResourcesW
DynamicLoader: WMI.DLL/WmiFileHandleToInstanceNameW
DynamicLoader: WMI.DLL/WmiDevInstToInstanceNameW
DynamicLoader: WMI.DLL/WmiQueryGuidInformation
DynamicLoader: WMI.DLL/WmiOpenBlock
DynamicLoader: WMI.DLL/WmiCloseBlock
DynamicLoader: WMI.DLL/WmiFreeBuffer
DynamicLoader: WMI.DLL/WmiEnumerateGuids
DynamicLoader: OLEAUT32.dll/
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://checkip.amazonaws.com/
Performs some HTTP requests
url: http://checkip.amazonaws.com/
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt
Looks up the external IP address
domain: checkip.amazonaws.com
Behavioural detection: Injection (Process Hollowing)
Injection: JJB-175325-_33001.exe(1844) -> JJB-175325-_33001.exe(2348)
Executed a process and injected code into it, probably while unpacking
Injection: JJB-175325-_33001.exe(1844) -> JJB-175325-_33001.exe(2348)
Sniffs keystrokes
SetWindowsHookExW: Process: JJB-175325-_33001.exe(2348)
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (460) called API GetSystemTimeAsFileTime 2765133 times
Spam: JJB-175325-_33001.exe (1844) called API GetLocalTime 65020 times
Checks the CPU name from registry, possibly for anti-virtualization
Harvests credentials from local FTP client softwares
file: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\user\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\user\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Makes SMTP requests, possibly sending spam or exfiltrating data.
SMTP: 217.70.178.9 (mail.gandi.net)
Collects information to fingerprint the system

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 72.247.177.161 [VT] Netherlands
N 34.196.181.158 [VT] United States
N 3.224.145.145 [VT] United States
N 217.70.178.9 [VT] France

DNS

Name Response Post-Analysis Lookup
checkip.amazonaws.com [VT] A 52.55.255.113 [VT]
CNAME checkip.check-ip.aws.a2z.com [VT]
A 52.44.169.135 [VT]
CNAME checkip.us-east-1.prod.check-ip.aws.a2z.com [VT]
A 18.205.71.63 [VT]
A 3.224.145.145 [VT]
A 18.204.189.102 [VT]
A 34.196.181.158 [VT]
mail.gandi.net [VT] A 217.70.178.9 [VT]
www.download.windowsupdate.com [VT] CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
A 72.247.177.161 [VT]
CNAME download.windowsupdate.com.edgesuite.net [VT]
A 72.247.177.169 [VT]
CNAME a767.dspw65.akamai.net [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\user\AppData\Local\Temp\varieteterlafay
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\System32\l_intl.nls
C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.INI
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\oleaut32.DLL
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
C:\Windows\System32\tzres.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271\System.Configuration.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\rasapi32.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ws2_32.dll
C:\Windows\Globalization\en.nlp
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\winhttp.dll
C:\%insfolder%\%insname%
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\iphlpapi.dll
C:\Users\user\AppData\Local\Google\Chrome\User Data\
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Windows\assembly\GAC_32\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\0.0.0.0_en-US_461d39c4a423da0b
C:\Windows\assembly\GAC_MSIL\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\0.0.0.0_en-US_461d39c4a423da0b
C:\Windows\assembly\GAC\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\0.0.0.0_en-US_461d39c4a423da0b
C:\Users\user\AppData\Local\Temp\en-US\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\assembly\GAC_32\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\0.0.0.0_en_461d39c4a423da0b
C:\Windows\assembly\GAC_MSIL\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\0.0.0.0_en_461d39c4a423da0b
C:\Windows\assembly\GAC\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\0.0.0.0_en_461d39c4a423da0b
C:\Users\user\AppData\Local\Temp\en\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.dll
C:\Users\user\AppData\Local\Temp\en\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.dll
C:\Users\user\AppData\Local\Temp\en\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.exe
C:\Users\user\AppData\Local\Temp\en\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources\VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources.exe
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\user\AppData\Local\Microsoft\Windows\History
C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\user\AppData\Local\Temp\vaultcli.dll
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\user\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\user\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\user\AppData\Local\360Chrome\Chrome\User Data
C:\Users\user\AppData\Local\Iridium\User Data
C:\Users\user\AppData\Local\Comodo\Dragon\User Data
C:\Users\user\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\user\AppData\Local\Chromium\User Data
C:\Users\user\AppData\Local\Torch\User Data
C:\Users\user\AppData\Local\7Star\7Star\User Data
C:\Users\user\AppData\Local\Amigo\User Data
C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\user\AppData\Local\CentBrowser\User Data
C:\Users\user\AppData\Local\Chedot\User Data
C:\Users\user\AppData\Local\CocCoc\Browser\User Data
C:\Users\user\AppData\Local\Elements Browser\User Data
C:\Users\user\AppData\Local\Epic Privacy Browser\User Data
C:\Users\user\AppData\Local\Kometa\User Data
C:\Users\user\AppData\Local\Orbitum\User Data
C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\user\AppData\Local\uCozMedia\Uran\User Data
C:\Users\user\AppData\Local\Vivaldi\User Data
C:\Users\user\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\user\AppData\Local\liebao\User Data
C:\Users\user\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\user\AppData\Local\QIP Surf\User Data
C:\Users\user\AppData\Local\Coowon\Coowon\User Data
C:\Users\user\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\user\AppData\Roaming\Flock\Browser\profiles.ini
C:\Windows\assembly\GAC_32\Microsoft.VisualBasic.resources\8.0.0.0_en-GB_b03f5f7f11d50a3a
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\8.0.0.0_en-GB_b03f5f7f11d50a3a
C:\Windows\assembly\GAC\Microsoft.VisualBasic.resources\8.0.0.0_en-GB_b03f5f7f11d50a3a
C:\Users\user\AppData\Local\Temp\en-GB\Microsoft.VisualBasic.resources.dll
C:\Users\user\AppData\Local\Temp\en-GB\Microsoft.VisualBasic.resources\Microsoft.VisualBasic.resources.dll
C:\Users\user\AppData\Local\Temp\en-GB\Microsoft.VisualBasic.resources.exe
C:\Users\user\AppData\Local\Temp\en-GB\Microsoft.VisualBasic.resources\Microsoft.VisualBasic.resources.exe
C:\Windows\assembly\GAC_32\Microsoft.VisualBasic.resources\8.0.0.0_en_b03f5f7f11d50a3a
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\8.0.0.0_en_b03f5f7f11d50a3a
C:\Windows\assembly\GAC\Microsoft.VisualBasic.resources\8.0.0.0_en_b03f5f7f11d50a3a
C:\Users\user\AppData\Local\Temp\en\Microsoft.VisualBasic.resources.dll
C:\Users\user\AppData\Local\Temp\en\Microsoft.VisualBasic.resources\Microsoft.VisualBasic.resources.dll
C:\Users\user\AppData\Local\Temp\en\Microsoft.VisualBasic.resources.exe
C:\Users\user\AppData\Local\Temp\en\Microsoft.VisualBasic.resources\Microsoft.VisualBasic.resources.exe
C:\Users\user\AppData\Local\UCBrowser\*
C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\user\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\user\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\user\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\user\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\user\AppData\Roaming\Waterfox\profiles.ini
C:\Users\user\AppData\Local\falkon\profiles\profiles.ini
C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
C:\Storage\
C:\mail\
C:\Users\user\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\user\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\user\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\user\AppData\Roaming\Pocomail\accounts.ini
C:\Users\user\AppData\Roaming\The Bat!
C:\Users\user\AppData\Roaming\Postbox\profiles.ini
C:\Users\user\AppData\Roaming\Claws-mail
C:\Users\user\AppData\Roaming\Claws-mail\clawsrc
C:\Users\user\AppData\Local\Temp\Folder.lst
C:\Users\user\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\user\AppData\Roaming\Psi\profiles
C:\Users\user\AppData\Roaming\Psi+\profiles
C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\user\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\user\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\FTP Navigator\Ftplist.txt
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\cftp\Ftplist.txt
C:\Users\user\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files (x86)\jDownloader\config\database.script
C:\Users\user\AppData\Local\Google\Chrome\User Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\user\AppData\Local\UCBrowser\
C:\Users\user\AppData\Roaming\Mozilla\Firefox\
C:\Users\user\AppData\Roaming\Postbox\
C:\Users\user\AppData\Roaming\Thunderbird\
C:\Users\user\AppData\Roaming\Mozilla\SeaMonkey\
C:\Users\user\AppData\Roaming\Flock\Browser\
C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\
C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\
C:\Users\user\AppData\Roaming\K-Meleon\
C:\Users\user\AppData\Roaming\Mozilla\icecat\
C:\Users\user\AppData\Roaming\Moonchild Productions\Pale Moon\
C:\Users\user\AppData\Roaming\Comodo\IceDragon\
C:\Users\user\AppData\Roaming\Waterfox\
C:\Users\user\AppData\Roaming\3huvl2la.zmk.zip
C:\Users\user\AppData\Roaming\3huvl2la.zmk\*
C:\Users\user\AppData\Local\Temp\log.tmp
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\security.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\crypt32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CRYPT32.dll
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Windows\System32\dnsapi.dll
C:\Users\user\AppData\Local\Temp\Cab9F2C.tmp
C:\Users\user\AppData\Local\Temp\Tar9F2D.tmp
C:\Users\user\AppData\Local\Temp\
C:\Windows\inf\
C:\Users\user\AppData\Local\Temp\CabA0C3.tmp
C:\Users\user\AppData\Local\Temp\TarA0C4.tmp
C:\Windows\System32\en-US\winhttp.dll.mui
C:\Users\user\AppData\LocalLow
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\CabA345.tmp
C:\Users\user\AppData\Local\Temp\TarA356.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\46D7547AA7F9B9DA290D5C19668E04C1
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository
C:\Windows\sysnative\wbem\Logs
C:\Windows\sysnative\wbem\AutoRecover
C:\Windows\sysnative\wbem\MOF
C:\Windows\sysnative\wbem\repository\INDEX.BTR
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\WBEM9xUpgd.dat
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\wbem\Logs\
\??\WMIDataDevice
C:\Windows\Temp
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\System32\tzres.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\user\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\user\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\user\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\user\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\user\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\user\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\user\AppData\Roaming\Waterfox\profiles.ini
C:\Users\user\AppData\Local\falkon\profiles\profiles.ini
C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\user\AppData\Roaming\Postbox\profiles.ini
C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\user\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\FTP Navigator\Ftplist.txt
C:\Users\user\AppData\Roaming\3huvl2la.zmk.zip
C:\Users\user\AppData\Local\Temp\Cab9F2C.tmp
C:\Users\user\AppData\Local\Temp\Tar9F2D.tmp
C:\Users\user\AppData\Local\Temp\CabA0C3.tmp
C:\Users\user\AppData\Local\Temp\TarA0C4.tmp
C:\Windows\System32\en-US\winhttp.dll.mui
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\CabA345.tmp
C:\Users\user\AppData\Local\Temp\TarA356.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\46D7547AA7F9B9DA290D5C19668E04C1
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\user\AppData\Roaming\3huvl2la.zmk.zip
C:\Users\user\AppData\Local\Temp\Cab9F2C.tmp
C:\Users\user\AppData\Local\Temp\Tar9F2D.tmp
C:\Users\user\AppData\Local\Temp\CabA0C3.tmp
C:\Users\user\AppData\Local\Temp\TarA0C4.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\CabA345.tmp
C:\Users\user\AppData\Local\Temp\TarA356.tmp
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
C:\Users\user\AppData\Local\Temp\Cab9F2C.tmp
C:\Users\user\AppData\Local\Temp\Tar9F2D.tmp
C:\Users\user\AppData\Local\Temp\CabA0C3.tmp
C:\Users\user\AppData\Local\Temp\TarA0C4.tmp
C:\Users\user\AppData\Local\Temp\CabA345.tmp
C:\Users\user\AppData\Local\Temp\TarA356.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\JJB-175325-_33001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JJB-175325-_33001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\53d498f7\3fc7d248
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\JJB-175325-_33001.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\356E510D
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\809
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.ni.dll
HKEY_CLASSES_ROOT\CLSID\{D6BDAFB2-9435-491F-BB87-6AA0F0BC31A2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\wminet_utils.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\JJB-175325-_33001_RASAPI32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileDirectory
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableFileTracing
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileTracingMask
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableConsoleTracing
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\ConsoleTracingMask
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\MaxFileSize
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Counter Names
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-0c-29-f8-d7-43
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterDomainName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\DhcpDomain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{846EE342-7039-11DE-9D20-806E6F6E6963}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\SearchList
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\NodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpNodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\ScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableProxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableDns
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources_en-US_461d39c4a423da0b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4e737d0e\56d38e7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|JJB-175325-_33001.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|JJB-175325-_33001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|JJB-175325-_33001.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.VQQQIDULPBMLSWBHBWPIBPUOWMZVOWNXYFKOJAIX_20190718094011775.resources_en_461d39c4a423da0b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4e737d0e\faf6b28
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
\xe8\x91\xb0\xc8\x99EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
\xe8\x91\xb0\xc8\x99EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
\xe8\x91\xb0\xc8\x99EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic.resources_en-GB_b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6d5fb745\610b1085
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic.resources_en_b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6d5fb745\15f61caa
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\809
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Escalation
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\WMR
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xe2\x80\xa8\xc8\x87EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-0c-29-dc-04-c0
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\ContextDllCreateObjectContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\ContextDllCreateObjectContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6A7AE7C1
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_CURRENT_USER\Control Panel\International\sCountry
HKEY_CURRENT_USER\Control Panel\International\sList
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Control Panel\International\sNativeDigits
HKEY_CURRENT_USER\Control Panel\International\sCurrency
HKEY_CURRENT_USER\Control Panel\International\sMonDecimalSep
HKEY_CURRENT_USER\Control Panel\International\sMonThousandSep
HKEY_CURRENT_USER\Control Panel\International\sMonGrouping
HKEY_CURRENT_USER\Control Panel\International\sPositiveSign
HKEY_CURRENT_USER\Control Panel\International\sNegativeSign
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_CURRENT_USER\Control Panel\International\sShortTime
HKEY_CURRENT_USER\Control Panel\International\s1159
HKEY_CURRENT_USER\Control Panel\International\s2359
HKEY_CURRENT_USER\Control Panel\International\sShortDate
HKEY_CURRENT_USER\Control Panel\International\sLongDate
HKEY_CURRENT_USER\Control Panel\International\iCountry
HKEY_CURRENT_USER\Control Panel\International\iMeasure
HKEY_CURRENT_USER\Control Panel\International\iPaperSize
HKEY_CURRENT_USER\Control Panel\International\iDigits
HKEY_CURRENT_USER\Control Panel\International\iLZero
HKEY_CURRENT_USER\Control Panel\International\iNegNumber
HKEY_CURRENT_USER\Control Panel\International\NumShape
HKEY_CURRENT_USER\Control Panel\International\iCurrDigits
HKEY_CURRENT_USER\Control Panel\International\iCurrency
HKEY_CURRENT_USER\Control Panel\International\iNegCurr
HKEY_CURRENT_USER\Control Panel\International\iCalendarType
HKEY_CURRENT_USER\Control Panel\International\iFirstDayOfWeek
HKEY_CURRENT_USER\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009
HKEY_PERFORMANCE_TEXT\Counter
HKEY_PERFORMANCE_DATA\238
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\RequiredPrivileges
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Environment
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Volatile Environment
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\356E510D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\wminet_utils.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableFileTracing
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileTracingMask
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableConsoleTracing
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\ConsoleTracingMask
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\MaxFileSize
\xec\x89\x80\xc8\x94EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Counter Names
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6AEE89DD-BCBC-4329-B07B-C7EEC7EFD7EC}\DhcpDomain
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\SearchList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\NodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpNodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\ScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableProxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableDns
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xe8\x91\xb0\xc8\x99EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xe8\x91\xb0\xc8\x99EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xe8\x91\xb0\xc8\x99EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit
\xe8\x91\xb0\xc8\x99EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xe2\x80\xa8\xc8\x87EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6A7AE7C1
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_CURRENT_USER\Control Panel\International\sCountry
HKEY_CURRENT_USER\Control Panel\International\sList
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Control Panel\International\sNativeDigits
HKEY_CURRENT_USER\Control Panel\International\sCurrency
HKEY_CURRENT_USER\Control Panel\International\sMonDecimalSep
HKEY_CURRENT_USER\Control Panel\International\sMonThousandSep
HKEY_CURRENT_USER\Control Panel\International\sMonGrouping
HKEY_CURRENT_USER\Control Panel\International\sPositiveSign
HKEY_CURRENT_USER\Control Panel\International\sNegativeSign
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_CURRENT_USER\Control Panel\International\sShortTime
HKEY_CURRENT_USER\Control Panel\International\s1159
HKEY_CURRENT_USER\Control Panel\International\s2359
HKEY_CURRENT_USER\Control Panel\International\sShortDate
HKEY_CURRENT_USER\Control Panel\International\sLongDate
HKEY_CURRENT_USER\Control Panel\International\iCountry
HKEY_CURRENT_USER\Control Panel\International\iMeasure
HKEY_CURRENT_USER\Control Panel\International\iPaperSize
HKEY_CURRENT_USER\Control Panel\International\iDigits
HKEY_CURRENT_USER\Control Panel\International\iLZero
HKEY_CURRENT_USER\Control Panel\International\iNegNumber
HKEY_CURRENT_USER\Control Panel\International\NumShape
HKEY_CURRENT_USER\Control Panel\International\iCurrDigits
HKEY_CURRENT_USER\Control Panel\International\iCurrency
HKEY_CURRENT_USER\Control Panel\International\iNegCurr
HKEY_CURRENT_USER\Control Panel\International\iCalendarType
HKEY_CURRENT_USER\Control Panel\International\iFirstDayOfWeek
HKEY_CURRENT_USER\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_PERFORMANCE_TEXT\Counter
HKEY_PERFORMANCE_DATA\238
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiSystemHost\RequiredPrivileges
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\JJB-175325-_33001_RASAPI32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\JJB-175325-_33001_RASAPI32\FileDirectory
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
kernel32.dll.RtlMoveMemory
kernel32.dll.EnumUILanguagesA
kernel32.dll.GetTickCount
kernel32.dll.Sleep
user32.dll.GetCursorPos
user32.dll.EnumWindows
kernel32.dll.SetErrorMode
kernel32.dll.SetLastError
kernel32.dll.VirtualAllocEx
kernel32.dll.CloseHandle
shell32.dll.ShellExecuteW
kernel32.dll.WriteFile
kernel32.dll.UnmapViewOfFile
kernel32.dll.CreateFileW
kernel32.dll.TerminateProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.CreateProcessInternalW
kernel32.dll.GetTempPathW
kernel32.dll.GetLongPathNameW
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
ntdll.dll.NtProtectVirtualMemory
kernel32.dll.GetCommandLineW
ntdll.dll.NtGetContextThread
ntdll.dll.NtSetContextThread
ntdll.dll.NtResumeThread
kernel32.dll.GetExitCodeProcess
kernel32.dll.RaiseException
kernel32.dll.GetLastError
kernel32.dll.IsBadReadPtr
kernel32.dll.VirtualProtect
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.WideCharToMultiByte
kernel32.dll.lstrlenW
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetModuleFileNameA
kernel32.dll.LoadLibraryA
kernel32.dll.FreeResource
kernel32.dll.SizeofResource
kernel32.dll.LockResource
kernel32.dll.LoadResource
kernel32.dll.FindResourceA
kernel32.dll.Module32Next
kernel32.dll.Module32First
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateFileA
kernel32.dll.GetModuleHandleW
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.FreeLibrary
kernel32.dll.HeapAlloc
kernel32.dll.HeapReAlloc
kernel32.dll.GetCommandLineA
kernel32.dll.DeleteCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.HeapCreate
kernel32.dll.ExitProcess
kernel32.dll.GetStdHandle
kernel32.dll.HeapSize
kernel32.dll.GetCurrentProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.GetConsoleCP
kernel32.dll.GetConsoleMode
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.InterlockedIncrement
kernel32.dll.GetCurrentThreadId
kernel32.dll.InterlockedDecrement
kernel32.dll.FlushFileBuffers
kernel32.dll.SetFilePointer
kernel32.dll.SetHandleCount
kernel32.dll.GetFileType
kernel32.dll.GetStartupInfoA
kernel32.dll.RtlUnwind
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetCPInfo
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.CompareStringA
kernel32.dll.CompareStringW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.WriteConsoleA
kernel32.dll.GetConsoleOutputCP
kernel32.dll.WriteConsoleW
kernel32.dll.SetStdHandle
kernel32.dll.GetLocaleInfoA
kernel32.dll.LCMapStringA
kernel32.dll.LCMapStringW
kernel32.dll.GetStringTypeA
kernel32.dll.GetStringTypeW
kernel32.dll.SetEndOfFile
kernel32.dll.CreateThread
kernel32.dll.GetCurrentThread
kernel32.dll.TerminateThread
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
mscoree.dll._CorExeMain
mscoree.dll.CLRCreateInstance
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll.CLRCreateInstance
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
ole32.dll.CoInitializeEx
kernel32.dll.QueryActCtxW
kernel32.dll.GetVersionExW
ole32.dll.CoGetContextToken
kernel32.dll.GetFullPathNameW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
mscorjit.dll.getJit
kernel32.dll.lstrlen
kernel32.dll.GetUserDefaultUILanguage
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetEnvironmentVariableW
cryptsp.dll.CryptAcquireContextW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.MkParseDisplayName
oleaut32.dll.#2
oleaut32.dll.#6
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
kernel32.dll.ReleaseActCtx
oleaut32.dll.#9
oleaut32.dll.#4
oleaut32.dll.#283
oleaut32.dll.#284
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.LocalAlloc
oleaut32.dll.VariantInit
oleaut32.dll.VariantClear
oleaut32.dll.#7
kernel32.dll.CreateEventW
kernel32.dll.SwitchToThread
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
ole32.dll.IIDFromString
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
ole32.dll.CoUninitialize
oleaut32.dll.#500
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
kernel32.dll.RegOpenKeyExW
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.DuplicateHandle
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtGetCurrentProcessorNumber
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
rasapi32.dll.RasEnumConnectionsW
rtutils.dll.TraceRegisterExA
rtutils.dll.TracePrintfExA
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceStatus
sechost.dll.CloseServiceHandle
ws2_32.dll.WSAStartup
ws2_32.dll.WSASocketW
ws2_32.dll.setsockopt
ws2_32.dll.WSAEventSelect
ws2_32.dll.ioctlsocket
ws2_32.dll.closesocket
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
kernel32.dll.LocalFree
kernel32.dll.CreateFileMappingW
kernel32.dll.MapViewOfFile
kernel32.dll.VirtualQuery
kernel32.dll.ReleaseMutex
advapi32.dll.CreateWellKnownSid
kernel32.dll.CreateMutexW
kernel32.dll.WaitForSingleObject
kernel32.dll.OpenMutexW
kernel32.dll.OpenProcess
kernel32.dll.GetProcessTimes
ws2_32.dll.WSAIoctl
kernel32.dll.FormatMessageW
rasapi32.dll.RasConnectionNotificationW
advapi32.dll.RegOpenCurrentUser
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegNotifyChangeKeyValue
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
nsi.dll.NsiFreeTable
kernel32.dll.ResetEvent
winhttp.dll.WinHttpDetectAutoProxyConfigUrl
kernel32.dll.GlobalFree
ws2_32.dll.getaddrinfo
ws2_32.dll.#116
iphlpapi.dll.GetNetworkParams
dnsapi.dll.DnsQueryConfig
iphlpapi.dll.GetAdaptersAddresses
iphlpapi.dll.GetIpInterfaceEntry
iphlpapi.dll.GetBestInterfaceEx
ws2_32.dll.inet_addr
ws2_32.dll.freeaddrinfo
shfolder.dll.SHGetFolderPathW
ws2_32.dll.WSAConnect
mscoreei.dll.LoadLibraryShim
ws2_32.dll.send
culture.dll.ConvertLangIdToCultureName
ws2_32.dll.recv
user32.dll.GetLastInputInfo
mlang.dll.#112
wininet.dll.FindFirstUrlCacheEntryA
kernel32.dll.SetFileInformationByHandle
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
oleaut32.dll.#201
user32.dll.SetWindowsHookExW
user32.dll.SetClipboardViewer
ole32.dll.OleInitialize
ole32.dll.OleGetClipboard
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
user32.dll.SendMessageW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.IsWindowUnicode
user32.dll.GetMessageW
user32.dll.TranslateMessage
user32.dll.DispatchMessageW
user32.dll.WaitMessage
ws2_32.dll.shutdown
oleaut32.dll.#200
kernel32.dll.CreateSemaphoreA
security.dll.EnumerateSecurityPackagesW
security.dll.FreeContextBuffer
mscoree.dll.ND_RI4
mscoreei.dll.ND_RI4
security.dll.FreeCredentialsHandle
security.dll.AcquireCredentialsHandleW
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
security.dll.DeleteSecurityContext
security.dll.InitializeSecurityContextW
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
security.dll.QueryContextAttributesW
ncrypt.dll.SslLookupCipherSuiteInfo
crypt32.dll.CertFreeCertificateContext
crypt32.dll.CertDuplicateCertificateContext
crypt32.dll.CertGetCertificateContextProperty
crypt32.dll.CertCloseStore
crypt32.dll.CertDuplicateStore
crypt32.dll.CertEnumCertificatesInStore
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertOpenStore
crypt32.dll.CertAddCertificateLinkToStore
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.QueryServiceConfigW
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
cryptnet.dll.CryptGetObjectUrl
cryptnet.dll.I_CryptNetGetConnectivity
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall2
cryptnet.dll.CryptRetrieveObjectByUrlW
setupapi.dll.SetupIterateCabinetW
kernel32.dll.RegCloseKey
cabinet.dll.#20
cabinet.dll.#22
devrtl.dll.DevRtlGetThreadLogToken
cabinet.dll.#23
cryptsp.dll.CryptSetHashParam
cryptsp.dll.CryptVerifySignatureA
sechost.dll.QueryServiceConfigA
rpcrt4.dll.RpcStringBindingComposeA
rpcrt4.dll.RpcBindingFromStringBindingA
rpcrt4.dll.RpcEpResolveBinding
rpcrt4.dll.RpcStringFreeA
rpcrt4.dll.RpcBindingFree
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpCrackUrl
shlwapi.dll.StrCmpNW
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpTimeFromSystemTime
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
shlwapi.dll.StrStrIW
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo
cryptnet.dll.I_CryptNetSetUrlCachePreFetchInfo
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
crypt32.dll.CertDuplicateCertificateChain
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
crypt32.dll.CertVerifyCertificateChainPolicy
security.dll.EncryptMessage
ncrypt.dll.SslEncryptPacket
security.dll.DecryptMessage
ncrypt.dll.SslDecryptPacket
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcStringFreeW
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
advapi32.dll.RegSetValueExW
cryptsp.dll.CryptReleaseContext
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
kernel32.dll.IsThreadAFiber
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernel32.dll.SetThreadToken
kernelbase.dll.CheckTokenMembership
kernelbase.dll.AllocateAndInitializeSid
ole32.dll.CLSIDFromString
oleaut32.dll.#17
oleaut32.dll.#20
oleaut32.dll.#19
oleaut32.dll.#25
authz.dll.AuthzInitializeContextFromSid
oleaut32.dll.#285
oleaut32.dll.#12
oleaut32.dll.#286
ole32.dll.CoGetCallContext
ole32.dll.CoImpersonateClient
advapi32.dll.OpenThreadToken
ole32.dll.CoRevertToSelf
oleaut32.dll.#8
ole32.dll.CoSwitchCallContext
advapi32.dll.LogonUserExExW
sspicli.dll.LogonUserExExW
oleaut32.dll.#287
oleaut32.dll.#288
oleaut32.dll.#289
kernel32.dll.RegCreateKeyExW
ntdll.dll.EtwRegisterTraceGuidsW
ntmarta.dll.GetMartaExtensionInterface
oleaut32.dll.#290
wmi.dll.WmiQueryAllDataW
wmi.dll.WmiQuerySingleInstanceW
wmi.dll.WmiSetSingleItemW
wmi.dll.WmiSetSingleInstanceW
wmi.dll.WmiExecuteMethodW
wmi.dll.WmiNotificationRegistrationW
wmi.dll.WmiMofEnumerateResourcesW
wmi.dll.WmiFileHandleToInstanceNameW
wmi.dll.WmiDevInstToInstanceNameW
wmi.dll.WmiQueryGuidInformation
wmi.dll.WmiOpenBlock
wmi.dll.WmiCloseBlock
wmi.dll.WmiFreeBuffer
wmi.dll.WmiEnumerateGuids
\x01C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe"
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
Global\CLR_CASOFF_MUTEX
Global\.net clr networking
Local\_!MSFTHISTORY!_
Local\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!user!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!
VaultSvc
WerSvc

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00401948
Reported Checksum 0x000f025a
Actual Checksum 0x000f025a
Minimum OS Version 4.0
Compile Time 2014-04-20 13:36:45
Import Hash 96d74e5fabb37d9583b5e439e846719d

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000e76a8 0x000e8000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.50
.data 0x000e9000 0x000012c8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x000eb000 0x00001f00 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.06

Imports

Library MSVBVM60.DLL:
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010 __vbaHresultCheck
0x401014 None
0x401018 __vbaFreeVar
0x40101c __vbaLenBstr
0x401020 __vbaStrVarMove
0x401024 __vbaFreeVarList
0x401028 __vbaEnd
0x40102c _adj_fdiv_m64
0x401030 None
0x401034 _adj_fprem1
0x401038 None
0x40103c __vbaStrCat
0x401040 __vbaSetSystemError
0x401048 None
0x40104c _adj_fdiv_m32
0x401050 None
0x401054 __vbaLateMemSt
0x401058 __vbaObjSet
0x40105c _adj_fdiv_m16i
0x401060 __vbaObjSetAddref
0x401064 _adj_fdivr_m16i
0x401068 None
0x40106c None
0x401070 None
0x401074 __vbaFpR8
0x401078 None
0x40107c _CIsin
0x401080 None
0x401084 __vbaChkstk
0x401088 EVENT_SINK_AddRef
0x40108c __vbaStrCmp
0x401090 __vbaVarTstEq
0x401094 __vbaCyI4
0x401098 __vbaObjVar
0x40109c None
0x4010a0 DllFunctionCall
0x4010a4 None
0x4010a8 __vbaCastObjVar
0x4010ac None
0x4010b0 _adj_fpatan
0x4010b4 __vbaLateIdCallLd
0x4010b8 EVENT_SINK_Release
0x4010bc None
0x4010c0 _CIsqrt
0x4010c8 __vbaExceptHandler
0x4010cc __vbaStrToUnicode
0x4010d0 None
0x4010d4 _adj_fprem
0x4010d8 _adj_fdivr_m64
0x4010dc __vbaI2Str
0x4010e0 __vbaFPException
0x4010e4 None
0x4010e8 None
0x4010ec None
0x4010f0 _CIlog
0x4010f4 None
0x4010f8 __vbaErrorOverflow
0x4010fc __vbaNew2
0x401100 __vbaInStr
0x401104 None
0x401108 _adj_fdiv_m32i
0x40110c _adj_fdivr_m32i
0x401110 __vbaStrCopy
0x401114 None
0x401118 __vbaVarSetObj
0x40111c __vbaFreeStrList
0x401120 _adj_fdivr_m32
0x401124 _adj_fdiv_r
0x401128 None
0x40112c None
0x401130 __vbaVarTstNe
0x401134 __vbaI4Var
0x401138 None
0x40113c __vbaLateMemCall
0x401140 __vbaVarAdd
0x401144 __vbaStrToAnsi
0x401148 __vbaVarDup
0x401150 None
0x401154 __vbaLateMemCallLd
0x401158 _CIatan
0x40115c __vbaStrMove
0x401160 __vbaI4Cy
0x401164 None
0x401168 _allmul
0x40116c None
0x401170 _CItan
0x401174 _CIexp
0x401178 __vbaFreeStr
0x40117c __vbaFreeObj
0x401180 None

.text
`.data
.rsrc
MSVBVM60.DLL
@Q'QA
LowerGattiVIN
LowerGattiLulubelle
LowerGattiMyral10
hkkqC
mkk`R
mkkOR
kkk_C
@akkBC
JpzzbC
4;((((((
|2}zz
pizzB
(-&-)-
emeUUU%*%vvqv~~
--xyk
|mNtgx--
------
:zwQ@
vX;qHk
.>B-x
qz~w)
B?Y#K
;u8gL
8zO|@
d-u-r-DvFvGv
------vvvvvvo7Q2
LowerGattiMyral10
LowerGattithema9
LowerGattirikishas
LowerGattiIndiscernibly0
LowerGattiTenuirostral
LowerGattiPREREQUIREMENT
LowerGattilalla5
LowerGattiArmadillidium
LowerGattiTetrander2
LowerGattiRunnells6
LowerGattiblitheness
LowerGattiHOMOPHONES4
LowerGattiMasterless7
LowerGattistages
LowerGattiENTRANCINGLY6
LowerGattiprogypsy
LowerGattikatukina4
LowerGattidisappearing4
LowerGattiAchromic
LowerGattiSemirevolute10
VB5!6&*
LowerGattistateliest0
LowerGattiRECROSSING
LowerGattiVIN
LowerGattiVIN
LowerGattiLulubelle
LowerGattiJOINTLY4
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
LowerGattiPREREQUIREMENT
LowerGattikatukina4
LowerGattistages
LowerGattirikishas
LowerGattiTetrander2
LowerGattithema9
LowerGattiArmadillidium
LowerGattiHOMOPHONES4
LowerGattiTenuirostral
kernel32
RtlMoveMemory
LowerGattiOUTBIRTH3
IsValidURL
EnumUILanguagesA
GetTempFileNameA
imm32.dll
ImmGetCompositionWindow
user32
SetCaretPos
DlgDirListComboBoxA
ADVAPI32.DLL
EqualPrefixSid
DdeReconnect
GetProfileSectionA
lz32.dll
LZInit
ImmEscapeA
CharLowerA
GetMenuContextHelpId
ReadFileEx
CreateDialogParamA
gdi32
GdiSetBatchLimit
RegQueryInfoKeyA
lstrcatA
ImmSetOpenStatus
RegLoadKeyA
CharUpperBuffA
GetKeyboardLayoutList
ScaleWindowExtEx
InsertMenuItemA
winspool.drv
PrinterMessageBoxA
CharLowerBuffA
LowerGattiMONIED
LowerGattiCOUNTERQUARTERED10
LowerGattiZEMALJSKI0
VBA6.DLL
__vbaErrorOverflow
__vbaLateIdCallLd
__vbaI4Var
__vbaVarTstEq
__vbaObjVar
__vbaStrVarMove
__vbaI2Str
__vbaVarAdd
__vbaLateMemSt
__vbaLateMemCallLd
__vbaLateMemCall
__vbaVarSetObj
__vbaFreeStrList
__vbaFpR8
__vbaStrCat
__vbaEnd
__vbaHresultCheck
__vbaVarTstNe
__vbaStrMove
__vbaObjSetAddref
__vbaFreeVarList
__vbaSetSystemError
__vbaStrCmp
__vbaVarDup
__vbaInStr
__vbaCastObjVar
__vbaNew2
__vbaFreeVar
__vbaVarLateMemCallLd
__vbaLenBstr
__vbaFreeObj
__vbaHresultCheckObj
__vbaStrCopy
__vbaCyI4
__vbaI4Cy
__vbaObjSet
__vbaVarMove
__vbaFreeStr
__vbaStrToUnicode
__vbaStrToAnsi
LowerGattiJOINTLY4
LowerGattiMONEMBRYONY9
*"37O
+!337P
#!7337M
M2257M
&!7337M
&!727O
'!67N
# 233k
LowerGattiMONEMBRYONY9
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j@hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} j4hp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jLhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} jHhp<K
} j4hp<K
S_--j
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaHresultCheck
__vbaFreeVar
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaLateMemSt
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCyI4
__vbaObjVar
DllFunctionCall
__vbaCastObjVar
_adj_fpatan
__vbaLateIdCallLd
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaI2Str
__vbaFPException
_CIlog
__vbaErrorOverflow
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaVarSetObj
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaI4Var
__vbaLateMemCall
__vbaVarAdd
__vbaStrToAnsi
__vbaVarDup
__vbaVarLateMemCallLd
__vbaLateMemCallLd
_CIatan
__vbaStrMove
__vbaI4Cy
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
*"37O
+!337P
#!7337M
M2257M
&!7337M
&!727O
'!67N
# 233k
LowerGattiPirooz
LowerGattiOE10
STDTEKARDANENSPOUTIERLINE
Clubhaulingt6
e93mvjXGDTvqyZY120HN8HYbDqg30GHmnPJ6V86ls42HcIIWSHYT61ezSuKAs70Ks12
yDuNBIJNHnazptsdbcmuFd81
NiQgeiauaRzdq8WQxZTCBPCYbp62G9tvNuDJiH923Irghu6G4167
NONCONSTRUABILI
Bdepraksissensjomfruerskrykkesstjflsommeresecretinsnonimmunizationretfrd1
Varmefyldeexe1
WAIRDUNCAVALIERBILIMPORTRERMICROCYTESHENANIGANAUTOSKADESRENTEBELBENEREINDUCTSPSYCHONFOTO
TAPETDRENSDOERNESAMPMANIERSDEDIKATIONSEKSEMPL
Pledgerundvendighedersugiftkraeftkrydshvlvetmulcibirianth
Disciplinrsagheadsheetsfredeligtvarieteterlafayetteveterinrestilt7
Brnerigestemicrocephaliaunprayciviliseringensafslapningsve
Bridgewardwhistlewingandorranskeshulkortsoperatrsen8
perfectestaddlepatedslagstiftersaimlessencyklopdistendicalciumreva
NONOPPRESSIVELYDEFUSIONDKLISTERSFARANDOLESLANDSTINGSMEDLEMUNACCIDEN
BEPLANTNINGERRATIONALISERSGALLIVANTEDTRUXILLICFORBINDSSTOFP
POMSTERJOHNNICENTUPLICATINGUDBLOKKETMEDGIFT
NUMMERPLADESPHILTERSKYLEUNDERDRIVENDEMONTBRETIASPRO
AUSTEMPERBLAZERPICHNASCENCEETATISMAKKUMULATI
Paradichlorbenzolminoritetenslutvaer5
Showfulomtaagethedensprojektledelsernesvaabenshornwormco
Bussen
PROTARGOLIDOL
GHASTLIERFINGERWISEVALLEYLIKEBILDRBTESDR
INCONCEALABLEBOLISLYKNSKNINGENSULFHYDRA
SQUILLIANZEPHYROUSLIVAGTIGTOFAGSV
Samarascrape
ANTIFOGMATICDAMPSSKIBSSELSKABJESTWISEBRINGERSOCCULTI
rulingderivativetunuredpointerslbn
Indicerendedalianceskiftingerberingiteantegningernessuperprecariouslyudsmeltesstrigs
Dongingoralitieschildcrowinghjpasshiningerskostik5
Assyrienfyldordenesmaharajasadvisetswagneristnedrustningssamkvemsmulighederstemple7
Mesalliancerfragrantly
Bumboatmenvoldsommeresgriller9
tikkenescurmudgeonsredhibitionsnekkedrevsstrammernesnithersjlemesserneprocomedyhandel
Speditionsforretni6
MERISTOGENOUSTAGRYGNINGENENCUM
ENTOSTERNUMMOTIONSS
Subarticulativekonjunktivaberdevinefootlininghexactiniansciathe3
Prelatrafikunderlagetcastawaysunderschemeekspertsystemssterigtetstrtanker4
Informationsstrmregentskabetudhulendesoutporto6
TROJKAOPSAMLINGENSNOTARISESRENSEVSKERS
Arteriographprisfaldenesisocyanurateanathematizingsaebedesminepledgerundvendighede3
mulcibirianthumbnutsgib
Headsheet
Lafayetteveterinrestiltalefrafaldrayshalmdisfr
Unprayciviliseringensafslapningsvelseskinasbacilligenicbridgewardwhis
Spearwortmangel3
Lineamentsmastersingersintermodillionperfectestaddlepatedslagstiftersaimless
revaccinationsexpounderskeypadsnonoppressivelydefusiondkli
unaccidentedreservations
ratio
Encumbersmisinstructedgriotssubarticulati
FORBINDSSTOFPASTORALLYOXYACIDBATHESNUMMERPLADESPHILTERSKYLEUNDERDRIVENDEMONTBRETIASPRO
Blazerpichnascenceetatismakkumulationsuncard8
slutvaerdienpersonlftapomi
LYKNSKNINGENSULFHYDRATEUNITESRUSTBEHANDLINGERNESSQUI
MDENDESDRUIDICALPA
OMTAAGETHEDENSPROJEKTLEDELSERNESVAABENSHORNWORMCOMETOGRAPHICALGALGENFUGLESTRLBIND
Centuplicatingudblokk9
Bedvel
Idolastrepunchablesuspensionerneghastlierfingerwisevalleylikebildrbtesdruenst7
Tofagsvinduerremilitariz
CRAPEFISHFLAMMEHAVSBINDLETANTIFOGMATICDAMPSSKIBSSELSKABJESTWISEBRINGERSOCCULTISM
derivativetunuredpointerslbningers
tebirkessema
dalianceskiftingerberingiteantegningernessuperprecariouslyudsmeltesstrigsrejsensfori
Mangelvaresstdt
Oralitieschildcrowinghjpasshiningerskostikkenesrisikovilli9
lejekasernerneslawnleafbadevgteseraphi
fragrantlykalkstenenso
GRILLERINGERSDEFDSELTEASELEDTERRIFYTIKKENESCURM
nithersjlemesserneprocomedyhandelsatt
FOOTLININGHEXACTINIANSCIATHERICPAAHRKOKONEROVERE
Castawaysunderschemeekspertsystemssterigtet4
VALDRAPINFORMATIONSSTRMREGENTSKABETUD
Observansenscoregencestarlett3
Afslapni
WHISTLEWINGANDORRANSKESHULKORTSOPERATRSENTOSTERNUMM
Rensevskerstossedsniperscopearteriographprisfaldenesisocyanurateanathema6
undvendighedersugiftkraeftkrydshvlvetmulcibirianthumbnutsgibinformatorydisc
varieteterlafay
RAYSHALMDISFREQUENTBRNERIGESTEMICROCEPHALI
mastersingersintermodillionperfectestaddlepatedslagstiftersaimlessencyklopdi
expounderskeypadsnonoppressively
Farandoles9
egosbeplantningerrationalisersgallivantedtruxillicforbindsstofpastorallyoxyacid
Philterskyleunderdrivendemon7
PICHNASCENCEETATISMAKKUMULATIONSUNCARDEDSKUL
Personlftapomictconspireds4
Hornwormcometographicalgalgenfuglestrlbindespom
Udblokketmedgifternessemicelestialboreplatformenesbuss
punchablesusp
Samkvemsmulighederstemplere7
Valleylikebildrbtesdruenstransverterstopventilinconcealablebo9
RUSTBEHANDLINGERNESSQUILLIANZEPHYROUSLIVAGTIGTOFAGSVINDUERREMILITARIZEDEVINDELIGHEDERNES
FLAMMEHAVSBINDLETANTIFOGMATICDAMPSSKIBSSELSKABJESTWISEBR
MAHARAJASADVISET
satsbetegnelsernerulingderivativetunuredpointerslbningershydrofluoricfarvemonit
semantikerescircumstancessynonymiconindic
Beringiteantegningernessuperprecari5
ALLONGEDONGING
Hjpasshiningerskostikkenesrisikovilligteleviserendessk
kalkstenensordreseddelbumb
Sdefdselteaseledt6
ersglycerinati
druidicalpastoratetsmeristogenoustagry
ZI2JbWb37CQeoBMYIhbPeKZ21lx118
HOVEDBRUDDENESINTE
b3X142
Griotssubarticulativekonjunktivaberdevinefootlininghexactiniansciather3
Trafikunderlagetcastawaysunderschemeekspertsystemssterigtetstrtankerssylb5
REGENTSKABETUDHULEND
COREGENCESTARLETTERNETROJKAOP
tossedsniperscopearteriographpri
Depelsionitedifferentieringerneminskymelaniticvipstjrtsvgensbastardiserin
VIVIFICATINGRVERHVDINGUNHUMBLYSTRIDSSPRGS
Unexplosivesorghosrammevvenesarterieforkalkningerneskli3
Photomicrographicallyprevaricativelagerkapaci5
Atheneumepigonstimersbevismaterialetsflgensampelograpnyhardestuligdrejesafvrgemanvre
H4xOzwgCtaqXcXkKBIufrmdjJgsW4URZ48
Dagbodssatsonionizedsexcresenceotologistskatteraadeneslottencryptoperthitetapsalteerieadea
Toss9npb185
Thanjaunass7
Sekundmeterestelpherwaykonomiseredesintervalhyppighedersfiletfabrikkernesstridula2
xTQ6twL6nthDIMD170
rchippolinibvergejlensplacentomabeknowdecimaltegneneszapfmetallicbanda
Ulqu0cEIV2ANje169
gCNY20TgHE8aq142
dpoFn70Yi0CvQiaPf6Uqe8dueMw57ltzTyqcRm799
Demilitariseringersbelgiskswi2
EgBLE7NaL206
cellekernerareiceyedropperfulcaukedparensroquetingfotoelektr
felcR6QFI1Smw8bNiJSx159
Nonagglomerativeunsatiatingreverencingsvlgslanthanadobb8
Antefactfornuftigesplanlgningerspuerilomgavessmrblomstensejerindeuri
TYPHLATONYTHETISKOOPERERESOVERKOMMANDOERNESSANDHVEPSENINDDMMERGR
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI149
Traditionarilyudviskningerbrotuliformprologuisingn7
aftercareergudsforngtelserskemikalieaffaldenesdeckergehejmeraadlilineacidifi
b3X126
SKRUEFORMETFO
Toss9npb183
Posologiespanaderetydspraksisseneboli
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n116
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI91
Flyttemandenruffetskomplikationerneschattereralcyonicunsur8
AF159
Divertedreimportedhejsevrkstvangssalgssemipropagandistembryonspol2
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI102
afprvningsfasenogetstedsforstbotanikkernepsychob
AF161
Nonsynchronalstagnationerovariectomisedspongoblastbrandstationenrecoa6
b3X211
Cyclosporousindiscretionfrilagersnaturgivensulfovaskemidler
Toss9npb63
kursusstuderendebarbersde
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n120
feudedbestik
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n144
STARDUSTCARDMAKERARBEJDSBOGHYPOPNOEASUBSTANTIAEAUTO
VENNURSEGIRLTOLER
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI233
Coldlyvandhull
b3X55
Kannumequa
Toss9npb111
gennemsgernonhumanizedgypstershomel
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n194
taalerconvairlysigenousbrutalecajoleriesbewitchfulsackinggemworkkrater
Counte
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI156
PELYCOMETRYCHRYS
b3X223
Sionitedifferentieringerneminskymelaniticvipstjrtsvgensbastardiseringensh9
Toss9npb87
UNHUMBLYSTRIDSSPRGSMAALMORTIFIEDA
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n174
Confermentsunexplosivesorghosrammevvenesarterieforkalkningerneskli3
Prevaricativelagerkapacitetensmiljforstyrrels9
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI111
Epigonstimersbevismaterialetsflgensampelograpnyhard1
b3X189
Toss9npb42
onionize
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n37
SKATTERAADENESLOTTENCRYPTOPERTHITETAPSALTEERIEADEASBISULFATSSHELFFULSEKUN
Intervalhyppighedersfiletfabrikkernesstridulatin2
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI35
Panaderetydspraksisseneboligspecialis
spolrchippolinibvergejlensplacentomabeknowdecimaltegneneszapfmetallicbandagefungousalk
parasollerdemilitariseringersbelgiskswingletailmassebevgelsejannaseriancell
CAUKEDPARENSROQUETINGFOTOELEKTRISKBLOBBINESSCLAUDICATENONAGG
FOLKEMINDEFOR
Svlgslanthanadobbeltvrelsetsudredelseraftslongiloquentantefactfornuftigesplanlg3
EJERINDEURICOSURICELOXALHEPTAHEDRATYP
Overkommandoernessandhv
verrucaprediscontinuationaftercareergudsforngtelserskemikalieaf
lilineacidificat
RUFFETSKOMPLIKATIONERNESCHATTERERALCYONICUNSURCHARGESKRMHA
Reimportedhejsevrkstvangssalgssemipropagandistembryonspollistmoms
stagnationerovariectomisedspongoblastbrandstationenrecoagulatetrendsd
Unassociabl7
LowerGattiKavala
Indiscretionfrilagersnaturgivensulfovaskemidlernesamputer3
Devillikeglabrousnessaandfuldeafprvningsfasenogetst
Utjenstdygtigtantisepaloustraditionarilyudviskningerbrotuliformprologuisingne7
INTELLECTUALISTICA
bestikholder
Cardmakerarbejdsboghypopnoeasubstantiaeautopilotenu
nursegirltoleratedunofficedforforstrkningensco
dybgang
jrliefsimultantolkegennemsgernonhumanizedgypstershomelierflotermonarchianismta
Reperceptionimprecatorilydivertedrei
Brutalecajoleriesbewitchfulsackinggemworkkraterbracteolateblytkkerco
CHRYSIDIDAEWOODC
Differentieringerneminskymelaniticvipstjrtsvgensbastardis
Rverhvdingunhumblystridssprgsmaalmortifie
Metallicbandagefungousalkvantorleydenpewingpara
Iodotherapyconfermentsunexplosivesorghosrammevvenesarterieforkalkninge
MAIICAUNDFANGEDEPHOTOMICROGRAPHI
MILJFORSTYRRELSERNETORSD
Stimersbevismaterialetsflgensampelograpnyhardestuli
MORTIFIEDAFGRETMYOTONUSIODOTHERAPYCONFE
EXCRESENCEOTOLOGISTSKATTERAADENESLOTTENCRYPTOPERTHITETAPSALTEERIEADEASBI
Telpherwaykonomiseredesintervalhyp
rchippolinibvergejlensplacentomab
Swin2
baYS9DJsbsJdP3CSc9Wh5qwzniUE74
areiceyedropperfulcaukedparensroquetingfotoelektriskblobbine
unsatiatingreverencingsvlgslanthanadobbeltvrelsetsudredelseraftslongilo
Planlgningersp4
uricosurice
b3X191
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI2
Disadornflytt3
thetiskoopereresoverkommandoernessandhvepseninddmmergrandnessverrucaprediscontinuation
Toss9npb146
kemikalieaffalden
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n63
Acidificationjac
Scalzsoireposologiespanaderetydsprak
b3X119
alcyonicunsurchargeskrmhaandteringreperceptionimprecat
Toss9npb137
Hejsevrkstvangssalgssemipropagandistembryonspollistmomsbelggehaglskadesmaraeno8
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n164
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n27
ArvNaisK187
Brandstationenrecoagulatetrendsdownslideengrcyclosporousindiscretionfrilagersnatur1
AF222
barbersdevillikeglabrousn
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI57
b3X241
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI213
LowerGattiParamimia
Antisepaloustraditionarilyudviskningerbrotuliformprologuisingneurologytannesh
Toss9npb254
seccofamiliegrupper
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n208
Eccle
AF150
Tilnavneneforetypifiedavalentstardustcardm
TRETTENAARSDAGESTHOR
ensvennursegirltoleratedun
b3X228
Vandhulletbukselngdensdybgangenskannumequalmyjrliefsimu
Toss9npb56
gypstershomelierflotermonarchianismtaalerconvairlysigenousbrutalecajole
Deckergehejmeraad5
GEMWORKKRATERBRACTEOLATEBLYTKKERCOUNTERREFERIDOLISEREDESFULDFEDESPELYCOMETRYCHRY
AF127
rsofficerernesviv9
rxelSmBZSMoP4rVU1gNxGQvfhcnabEECi9UUvAI164
b3X158
QIyVCOkAOR44
RAMMEVVENESARTERIEFORKALKNINGERNESKLIPPENSREKURSMYNDIGHEDENSMAIICAUNDFANGEDEPHOTOM
Toss9npb109
torsdagenesuperadmirable
ATZxtngPzrihTMBEa3KyBqO60j4K5qZq01n101
Bevismateria
AF101
HARDESTULIGDREJESAFVRGEMANVRERSANODEWEIRDLIKEDAGB
Otologistskatteraadeneslottencryptoperthitetapsalteerieadeas
bodKNG80oaefdhjZijxwjA250
KONOMISEREDESINTERVALHYPPIGHEDERSFILETFABRIKKERNESSTRIDULATINGOPLEVEDESETAGEAREAL
AegVvf3dWlNcI6113
CHIPPOLINIBVERGEJLEN
V5a9MzSV0sH8tYCgP2r5MfS101
DECIMALTEGNENESZAPFMETALLICBANDAGEFUNGOUSALKVANTORLE
yQO9kl0CWIxoPISy1fbcC197
Belgiskswingletailmassebevgel
IlMfrdjvqjbC8etW13
EYEDROPPERFULCAUKEDPARENSROQUETINGFOTOELEKTRISKBLOBBINESSCLA
gX4n3SGD5zC5fQIdNwTmCzwsGB49QzZ877
Reverencingsvlgslanthanadobbeltvrelsetsudredelseraftslongiloquentantefactfornuftigesplan3
O8RKmsgGkq4uy1zhvxhE144
Eloxalheptahedratyphlatonythetiskoope4
pjPyETltLewx3boXXjQox8OkpIKJ154
grandnessverrucapre
baYS9DJsbsJdP3CSc9Wh5qwzniUE24
Feltmadrasskrueformetfolkemindeforskningscalzsoireposologiespanade9
jxKyjeLxz00i5qaQxX5K5L153
Boligspecialisterfjendestatsdi
mhED5stuRo879
KOMPLIKATIONERNESCHATTERERALCYONI
pjPyETltLewx3boXXjQox8OkpIKJ90
mhED5stuRo895
eckBox
SEMIPROPAGANDISTEMBRYONSPOLLISTMOMSBELGGEHAG
ArvNaisK74
ovariectomisedspongoblastbrandstationenrecoagulatetrendsdownslideengrcyc
Naturgivensulfo
jxKyjeLxz00i5qaQxX5K5L52
Glabrousnessaandfuldeafpr2
udviskningerbrotuliformprologuisingneurologytanneshugginghjemmefdningershoved
pjPyETltLewx3boXXjQox8OkpIKJ36
Familiegruppersfeudedbestikholderenecclesiolatryeffektivitetensthanjaunassociabl7
baYS9DJsbsJdP3CSc9Wh5qwzniUE188
yBK6BFdWCix183
Arbejdsboghypopnoeasubstantiaeautopilotenundefenses
ArvNaisK37
Toleratedunofficedforforstrkningenscoldlyvandh
jxKyjeLxz00i5qaQxX5K5L26
Qualmyjrli2
mhED5stuRo889
SPORTIGSHIBAHGULDKORNSBELBSFELTERKUNKURSKOVFYRRENESU
ArvNaisK55
HOMELIERFLOTERMONARCHIANISMTAALERCONVAIRLYSIGENOUSBRUTALECAJOLERIESBEWI
pjPyETltLewx3boXXjQox8OkpIKJ9
kraterbracteolateblytkkercounterreferidoliseredesfuldfedespely
baYS9DJsbsJdP3CSc9Wh5qwzniUE47
baYS9DJsbsJdP3CSc9Wh5qwzniUE1
VB.Ch
Oversizedepelsionitedifferentieringerneminskymelaniticvipstjrtsvgensbastardiseringenshypno9
ArvNaisK188
stridssprgsmaalmortifiedafgretmyo
jxKyjeLxz00i5qaQxX5K5L134
Sorghosrammevvenesarterieforkalkningernesklippensrekurs5
mhED5stuRo849
Lagerkapacitetensmiljforstyrrelsernetorsdagenesuperadmirablenessatheneumepi1
pjPyETltLewx3boXXjQox8OkpIKJ57
Licensessluttyharnesseromkostnings
baYS9DJsbsJdP3CSc9Wh5qwzniUE241
Helbredsundersgelsern1
ArvNaisK11
Lxmo1tOEHfcwfs1
afhuggedecarlylesquedriftsforholdphallicsfeminiserethyttefadeneslakmusdigterevn
jxKyjeLxz00i5qaQxX5K5L148
Iridopupillar4
mhED5stuRo8201
Virksomheds2
pjPyETltLewx3boXXjQox8OkpIKJ145
coupsmillmatematikkersavedemonimolitem
Kollaboreredescarflikeinvadertrivalvearbejdskampeneslsorternavneattestenskordensfaneede4
ArvNaisK16
METALLISERINGMARGINIROSTRALREPOPULATEDNYPHOMANIAANAFORERCENSURENSRAADGIVNINGSV
jxKyjeLxz00i5qaQxX5K5L125
baYS9DJsbsJdP3CSc9Wh5qwzniUE200
Volgenanskaffelsesprisernebgeskovdniepertramaloceanografiskegraphometrica
mhED5stuRo8163
LOPHORTYXRIVALISERINGERSACOUSMAAMPHITROPALVENSTREFLJCOLLEENSOVERMENNESKERGRADUEREPARKB
pjPyETltLewx3boXXjQox8OkpIKJ247
Fjernopvarmede5
U6ms145
toskillingkasolitetenanterpromoveri
jxKyjeLxz00i5qaQxX5K5L171
daglnsconfrontingbaungaardallero
mhED5stuRo810
AGAPETAELINDENBORGR
pjPyETltLewx3boXXjQox8OkpIKJ40
Barklyitessterskibenesoologiesla
baYS9DJsbsJdP3CSc9Wh5qwzniUE144
Bulmeurtsubtilizepricksbryggerhestenesskvenfurtherance
ArvNaisK207
Banerneuefterretteligsteskrupulsesunderarchwoomcubicontravariantafrikanderense1
jxKyjeLxz00i5qaQxX5K5L209
pronotalrakeagephraseogrammessuperconductsamlivsundstningsakt
semitaejaillikeindenforuudryddeligerulletbjergbanenshomoeomorphmachinifyfolk
ZeJkdDCASDYNG8Nwgr79J9QCFE160
BHERSVESICULATEEMOLOASTATORSLGTNINGESSMRSOVSENSSYCONARIADEFICITTERNESPR
DYmkLqLhOTO22T3OsEShA1NE78
Ptorganiseringserubesce
SAFEGUARDERMETAPSYCHISTEKSAMENSORDNINGERNONTRANSFERENTIALKAR
Z2uW8bBinOQoKXYDlhJmAK9Xsj5ri7123
Klodeskyfrad7
eM2hsnEraUnxgH4A102
Flyvestationerfrhenretorsionensoverstrewedhumificationsmakrofunktioneroplbsthiobacilliblse6
hyX13
WEREWALLSISTERNSPORTSCASTERSROTATOR
lx6iN2enm8TNesiHsgLW2Oy45
Out of string sp
ictureBox
Parliamentarismunbankablenesslndelenenoninhabitabilitymotionle
Visible
Enabled
Toneladasnevilekturepenmatespejlgspanderssandwichelementeransamleroutbidshjerned
Doktorafhandlingensnordenomunpaintabilityunfavourablyimpuissantinducteeskonc6
Caption
LowerGattiIFCONFIG2
LowerGattiCopulative6
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
Comments
LowerGattiPRETORSIONAL
CompanyName
LowerGattiMahewu
ProductName
LowerGattiRECROSSING
FileVersion
8.04.0005
ProductVersion
8.04.0005
InternalName
LowerGattistateliest0
OriginalFilename
LowerGattistateliest0.exe
This file is not on VirusTotal.

Process Tree


JJB-175325-_33001.exe, PID: 1844, Parent PID: 2592
Full Path: C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe
Command Line: "C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe"
JJB-175325-_33001.exe, PID: 2348, Parent PID: 1844
Full Path: C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe
Command Line: C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe"
svchost.exe, PID: 568, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe, PID: 2500, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
WmiPrvSE.exe, PID: 2892, Parent PID: 568
Full Path: C:\Windows\sysnative\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
lsass.exe, PID: 1848, Parent PID: 460
Full Path: C:\Windows\sysnative\lsass.exe
Command Line: C:\Windows\system32\lsass.exe

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 72.247.177.161 [VT] Netherlands
N 34.196.181.158 [VT] United States
N 3.224.145.145 [VT] United States
N 217.70.178.9 [VT] France

TCP

Source Source Port Destination Destination Port
192.168.35.22 49183 217.70.178.9 mail.gandi.net 587
192.168.35.22 49170 3.224.145.145 checkip.amazonaws.com 80
192.168.35.22 49169 34.196.181.158 checkip.amazonaws.com 80
192.168.35.22 49191 72.247.177.161 www.download.windowsupdate.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.22 58774 8.8.8.8 53
192.168.35.22 59887 8.8.8.8 53
192.168.35.22 61809 8.8.8.8 53
192.168.35.22 63733 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
checkip.amazonaws.com [VT] A 52.55.255.113 [VT]
CNAME checkip.check-ip.aws.a2z.com [VT]
A 52.44.169.135 [VT]
CNAME checkip.us-east-1.prod.check-ip.aws.a2z.com [VT]
A 18.205.71.63 [VT]
A 3.224.145.145 [VT]
A 18.204.189.102 [VT]
A 34.196.181.158 [VT]
mail.gandi.net [VT] A 217.70.178.9 [VT]
www.download.windowsupdate.com [VT] CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
A 72.247.177.161 [VT]
CNAME download.windowsupdate.com.edgesuite.net [VT]
A 72.247.177.169 [VT]
CNAME a767.dspw65.akamai.net [VT]

HTTP Requests

URI Data
http://checkip.amazonaws.com/
GET / HTTP/1.1
Host: checkip.amazonaws.com
Connection: Keep-Alive

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86433
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt
GET /msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

SMTP traffic

Destination Data
217.70.178.9
EHLO Win7-x64-Cuckoo
STARTTLS
\x16\x03\x01\x00q\x01\x00\x00m\x03\x01]R\xdcU\x1dy\xea\xd6\xc3h\x9f\xb1\x9c\x93\xe0>\xfc\xd4\xf3^\x9b2\x8c\x0c\xf4,\xf8\xd3\xe2e\xb6\xd8\x00\x00\x18\x00/\x005\x00\x05\x00
\xc0\x13\xc0\x14\xc0	\xc0
\x002\x008\x00\x13\x00\x04\x01\x00\x00,\xff\x01\x00\x01\x00\x00\x00\x00\x13\x00\x11\x00\x00\x0email.gandi.net\x00
\x00\x06\x00\x04\x00\x17\x00\x18\x00\x0b\x00\x02\x01\x00\x16\x03\x01\x01\x06\x10\x00\x01\x02\x01\x00b\x85\x17DW\xf2\xe9R\xad\xd0\xc8\xa2\xa9`\xf8\x81\\xd3udhve7\x17\xb8\xe0\x86\x17z\xcbzu\x8e\xf1\xea7\xf60O\x92\xf6\xc7\xad\xd0\xde\xa79\xc1J\xf6\x1c\x168\xa8\xe6\x1c\xeb!B\xfe\xbe'\xea\xe3\xa4\xac\xd6\xca5\xbb\x1f\xf2\xd8+F\xa8\xde\xf7\xbb\xc2\xebE-\x80\xacV\xcb\x80l\xf2QdZ\xdd\x1e\xd3}\xf3\xcfuf~b\x87\x83@\xce\xdeJ\xe8"\xbcY\xc7\xe4\xf0\x15,\x0e\xc0\xeb\xb0\xbf\xc2\xb0E\xde6\xc2\xc1\xb9\x02\x1e\x14\xe4\x1c\xdc\xee\xe3M(gc\x9f\x07A\x9e9\x94\x02%\xfd\xb3\xfb\x1c\x8eY\x01B?\xf5\x8f[\xea\xc8\xde\xd2:G\xee\xf8\xea\xa7h~
s\xf4\x1a\xc9JI\x91]\xc4\xb3\xd7\xe4\xfb8S\xa8\x9fO\x91\x03\xfe]\x8d]\xaa`\xe0\x1ew\xb5c\x95\xf8\x19\xddW\xf1\x14e\xbd\xf0\x1fr)ec\xe6\xd8\xdd\xa7O(\x0b\xe2\x00Ya\xb3\xd8\x81\x84'\x08\x9cR9\xcbH!e\xee\x8b\x80\x8bz\xb1\x08N5\x14\x03\x01\x00\x01\x01\x16\x03\x01\x000w1\x176\xa4\x94\xe4d\xd1\xc7N\x0f\x80\x0b%\x90\x9a-
\xb6=j|
\x94\xa4\xf9e\xae\xfa&:\xee\x8clf\xeb\xd9;\x9a\xf2\x17]\xf4\x10\xb6a\x1f\x17\x03\x01\x0006o^\xb5\x93\xed\xf4\x82\x1aV\x82\xb0{\x08\x0f\xbf\xe9\x86h\xa4\x80\xaa\x85\xce@\xc4K\xfa\x8e^|\xe5=4\x9ck\x9f\xf3\xcaQ\xa4\x9e\x85\xc3P\x00\x7f\x8f\x17\x03\x01\x00@I\x93\xb6\xe5\xfcg.\xbe(=\xb1a_\xcf&\xa3DE\xd7\xbc\x7fg{\xcbo\xfb[\xad\x8e\xca8\x82\x1eb\xa5\xd9\x06\x11\xe7\xaa\x06]\x97%\xe3\xe1\xb0][\x0f\xacO\x06\x98F?\xee#1?\xb9SX@\x17\x03\x01\x000\xb1qoq\xc0 \x0f\x8e\xb0$@\xa5\xdd\xe8\x07\xb0\xf16\xcd\xacQ\xd7\xeb\xb3%\x1e@\x9f\xcfkJ(,\x14h\x8a\xf4KD|\xa08\x8e\x05\x8et
:\x17\x03\x01\x00@\xf1\x93a d\x8e1\x1b\xbdz\xd69\xbdU\xbe\x0b\xafq\x10\x85&l\xd7M\xe1\x1c.)\xecRt\xf9\x11\x08]\x17f\xa62\x9fx\x10_\xc3\xdd\xa1\x13Y\xc9%\x0c\x92\xd1\xc7\x12=\xb3\xfc\xf0\xc1\x81wc\xf8\x17\x03\x01\x00@\xd0\xc1\xed\xb68\x9d\x9ed,\x1bn.>\x0c\<\x82\x89V\xb0\xc7\xf4T
>\xa9=\xcc\x90AP\xbc:<\xba\xe4\xc9r\xd8,\x00E!\xca\x92\x13\xd4\xb0\xb8\xb7\xfb\xa1\xea\xa2&\xfe\xc4\x97\xcah\xab\xc8\xd4\xa9

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.22 49183 217.70.178.9 mail.gandi.net 587 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
File name 3huvl2la.zmk.zip
Associated Filenames
C:\Users\user\AppData\Roaming\3huvl2la.zmk.zip
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 9435f817-fed2-454e-88cd-7f78fda62c48
Associated Filenames
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
File Size 12 bytes
File Type data
MD5 01ef3b3284e5e6a7b2a5ba5e62dca883
SHA1 7f4a2caa38e61446c2ad9fc383856451c7dfff13
SHA256 e5cee92b5085c650f82a50712fa64f7ecbcb260ce7dc166bdd35e2d747697296
CRC32 5488B554
Ssdeep 3:YJV:YJV
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Cab9F2C.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Cab9F2C.tmp
C:\Users\user\AppData\Local\Temp\CabA0C3.tmp
File Size 52608 bytes
File Type Microsoft Cabinet archive data, 52608 bytes, 1 file
MD5 ff9672cd98bf5d41722d2d1207344c67
SHA1 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3
SHA256 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54
CRC32 2CA25202
Ssdeep 1536:hnbq9Gl2ifWyUQeydcYDAdN6CtfC8KAZc3kJTiD:hnbq9GQQW7NYDZCw5AZc3r
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar9F2D.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar9F2D.tmp
C:\Users\user\AppData\Local\Temp\TarA0C4.tmp
File Size 125286 bytes
File Type data
MD5 8237156ad13c2cd7c5cc2faa6969fd86
SHA1 e5481457795650900ee04db955c87224e2db32f0
SHA256 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825
CRC32 9C009AE7
Ssdeep 1536:oFAWrmqK1EYqbyr0CpXU4SwucWzvVPIM/P/CGv:oBK1LrVXPEcWOMP/D
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 15f1793d145ef06def1cba376628eef7
SHA1 b267c307bdb05bc416fa9a058b804f13e27afa57
SHA256 fe25e0555372ef6dce5e8510446a4441ab2c289bfcca834e9afbd45601da2622
CRC32 7BD6EC3E
Ssdeep 3:qRFiJ2totWIltvlVl:qjyx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 e02b5c7b25280da487209bd48b4163f9
SHA1 7d440a9292567af8570c34e52d03aed14405ae00
SHA256 42bc5d24dab11bbeb8fd93b797b3c5b7e70fee667293a32691767580f1a01a73
CRC32 9703369D
Ssdeep 48:qsLf/ZJLH3ZxqT/mf7RCpwV+4igHDt/UwbmXhBgkBVGWYCIh:qsb/Zp/q0lV9Nbojbm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File Size 65536 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 d6be67cde3eb8449a6b548dc7aa202cb
SHA1 3c06a401e85c3560dd5ebf59d30f1e1dccbe85bf
SHA256 373059c3e90f31c9467d294f83af774c2a61110c2bee075d7aece1e7950d1e9c
CRC32 E0397E0D
Ssdeep 384:tBwjxBNPrNa73dg3skdVQnQeW+4fTJ16ziXrAsjCCtn/NJ03:YBNaCdBr/CSl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\CabA345.tmp
File Size 58000 bytes
File Type Microsoft Cabinet archive data, 58000 bytes, 1 file
MD5 58a3badc25e15583224e2b922f370a4f
SHA1 5dcce1d09a846eea3d78ebea95fd8da9dcc8b61c
SHA256 7e0630e9c468031329cad1a21bfb37c12153bda0f4d6298ee1b8682dd0c35f8a
CRC32 067699EE
Ssdeep 1536:+wsSahN6MYk090Xre2F9t7yOyOQVMOhq7eK+LZOYw36:MeMYP9Wre2F9t7yQQVFU7erZOYx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 344 bytes
File Type data
MD5 b75964541b658c0b32146c5b40ff2083
SHA1 5505f6fa284aee484276fec46b6fa880bae00705
SHA256 bb263074b593bb70fa5072d37452a33103af8f50802221f74dfe07919fccecac
CRC32 BE6FCA93
Ssdeep 6:kKZk+5kl/Y4Y+SkQlPlEGYRMY9z+4KlDA3RUemmly:e+5s/YokPlE99SNxAhUe+
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 344 bytes
File Type data
MD5 2af958dc0c395fc547b13033795306d6
SHA1 b4b93f92d36bedd2c2a7b384b7dc3695e5bb4b2d
SHA256 2dcd0a4f991458967103dd71adb29dedc31773d0ebd0b811e6f6bf2e6c6eb860
CRC32 B490B841
Ssdeep 6:kKZkQ814kl/Y4Y+SkQlPlEGYRMY9z+4KlDA3RUemmly:eQ04s/YokPlE99SNxAhUe+
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name TarA356.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\TarA356.tmp
File Size 142438 bytes
File Type data
MD5 8e46600c3cbbec747e274cafd414f211
SHA1 48bdcd43641868e55f4ae40bdefb80f9a3fcf293
SHA256 57debff527a80c0bf28801f782f0e2cfc0b3d5d4d9637c6dfd8e30e2a45d33de
CRC32 B49D15CC
Ssdeep 1536:8rZ9oAVrkFCo6r0I1KRYru+uT5zlXYzSKQsSVi76tksRD:8rDot6r0TRYa2SKFSBywD
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 344 bytes
File Type data
MD5 cdac64ff9d5fff65262826cab8de2ea3
SHA1 d86b29ebeb57f3a92e73dde899a5a9517b780763
SHA256 dd8002e8ffa122c225cbffbe2de7e5101b7d6578afc0c921324d43923b95d06f
CRC32 853A37ED
Ssdeep 6:kKZk+0/ka0jr0EVkl/Y4Y+SkQlPlEGYRMY9z+4KlDA3RUemmly:eoa0/1s/YokPlE99SNxAhUe+
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Injected PE Image: 32-bit executable
Size 957440 bytes
Target Process JJB-175325-_33001.exe
Target PID 2348
Target Path C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe
Injecting Process JJB-175325-_33001.exe
Injecting PID 1844
Path C:\Users\user\AppData\Local\Temp\JJB-175325-_33001.exe
MD5 6221ea2c2eee17d81a15b28ae3c1ece3
SHA1 c55ed0102bc1408f3414f043fb857adc6c16b563
SHA256 da7ea934dffd4dbbf47c3d584af9170259901b50fbb613ccc3acd9af42657ef7
CRC32 009F4AF9
Ssdeep 12288:W4IitFNVMfBetcCzJ4iQSYPSYA3ekunqAI+jeXBaG02d3L:W4IidVUeuCHQSASe03
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected PE Image: 64-bit executable
Size 30720 bytes
Target Process lsass.exe
Target PID 1848
Target Path C:\Windows\system32\lsass.exe
Injecting Process services.exe
Injecting PID 460
Path C:\Windows\sysnative\services.exe
MD5 04a1e5b24554720d22c923907588eab9
SHA1 3b5ee22c1ce1d30718c4f9b78a9222f94cf050bd
SHA256 9474982f13da53568200b0701b9476b606fa7f407e5c3cb97ca03ee91856557f
CRC32 818531C3
Ssdeep 768:z53rCJhpTccNDWMaLZKBIA/edHVDtzx06RnE:z5yRcKpXBL/edHjrR
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected PE Image: 64-bit executable
Size 68608 bytes
Target Process taskhost.exe
Target PID 2676
Target Path taskhost.exe
Injecting Process services.exe
Injecting PID 460
Path C:\Windows\sysnative\services.exe
MD5 577219d2799b1180f036bd3dd5578e3e
SHA1 b124c76ba7ac988073e5c3a5250ec0550a3c2775
SHA256 d75da0e7af30d175b6b9c8a0a5b685388abbcc30eb8fee8d6d61a769fd7a8994
CRC32 119677AC
Ssdeep 1536:88/5May9YId7u+9IS5v7JTk2SCfYNEff4+yJKddOf:88/FIRu+tv7pk2SCfYNEffpyMOf
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected PE Image: 64-bit executable
Size 26624 bytes
Target Process svchost.exe
Target PID 1440
Target Path C:\Windows\System32\svchost.exe
Injecting Process services.exe
Injecting PID 460
Path C:\Windows\sysnative\services.exe
MD5 c60e425b0de473d8ed482cbf5d7eaaa9
SHA1 be3b2d2d08b143421cd887f904e3af83a30d4c62
SHA256 102bc71e582d18fdd0b8e63ab3e2e42911e329e75377df257b7981fbc8d0749a
CRC32 104FCA84
Ssdeep 768:sWkX7q+f5TYvVeZMmn+0C4xiNEbvKtPK:sX5fhuZE53vKtPK
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 89.323 seconds )

  • 85.516 BehaviorAnalysis
  • 1.434 Static
  • 1.312 CAPE
  • 0.426 TargetInfo
  • 0.332 Dropped
  • 0.166 TrID
  • 0.055 Strings
  • 0.047 NetworkAnalysis
  • 0.029 Deduplicate
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 22.162 seconds )

  • 2.9 api_spamming
  • 2.55 decoy_document
  • 2.426 Doppelganging
  • 1.623 dyre_behavior
  • 1.418 injection_createremotethread
  • 1.31 infostealer_browser_password
  • 1.282 infostealer_browser
  • 1.261 InjectionCreateRemoteThread
  • 1.254 exploit_heapspray
  • 1.225 antidebug_guardpages
  • 1.193 ipc_namedpipe
  • 0.988 reads_self
  • 0.845 InjectionInterProcess
  • 0.685 stack_pivot
  • 0.379 antivm_generic_scsi
  • 0.19 recon_programs
  • 0.169 antivm_generic_services
  • 0.089 antiav_detectreg
  • 0.034 infostealer_ftp
  • 0.02 stealth_file
  • 0.02 infostealer_im
  • 0.018 antianalysis_detectreg
  • 0.017 mimics_filetime
  • 0.017 antivm_generic_disk
  • 0.015 infostealer_mail
  • 0.014 antiav_detectfile
  • 0.012 bootkit
  • 0.012 PlugX
  • 0.012 virus
  • 0.009 dynamic_function_loading
  • 0.009 antivm_vbox_keys
  • 0.009 infostealer_bitcoin
  • 0.008 antiemu_wine_func
  • 0.008 hancitor_behavior
  • 0.007 malicious_dynamic_function_loading
  • 0.006 antivm_vbox_libs
  • 0.006 antidbg_windows
  • 0.006 kovter_behavior
  • 0.006 antivm_vmware_keys
  • 0.005 exploit_getbasekerneladdress
  • 0.005 kibex_behavior
  • 0.005 antivm_vbox_files
  • 0.005 ransomware_files
  • 0.004 betabot_behavior
  • 0.004 exploit_gethaldispatchtable
  • 0.004 shifu_behavior
  • 0.004 persistence_autorun
  • 0.004 antivm_parallels_keys
  • 0.004 antivm_xen_keys
  • 0.004 geodo_banking_trojan
  • 0.004 darkcomet_regkeys
  • 0.004 ransomware_extensions
  • 0.003 antiav_avast_libs
  • 0.003 antisandbox_sleep
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_vpc_keys
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 exec_crash
  • 0.002 antiav_bitdefender_libs
  • 0.002 antianalysis_detectfile
  • 0.002 antidbg_devices
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 office_flash_load
  • 0.001 dridex_behavior
  • 0.001 antivm_vmware_libs
  • 0.001 kazybot_behavior
  • 0.001 EvilGrab
  • 0.001 encrypted_ioc
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antivm_xen_keys
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_system
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_devices
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 bypass_firewall
  • 0.001 codelux_behavior
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint

Reporting ( 0.739 seconds )

  • 0.739 CompressResults
Task ID 87733
Mongo ID 5d52dd9b399c393247a576ea
Cuckoo release 1.3-CAPE
Delete