Analysis

Category Package Started Completed Duration Options Log
FILE TrickBot 2019-08-13 22:02:24 2019-08-13 22:06:45 261 seconds Show Options Show Log
route = internet
procdump = 0
2019-08-13 23:02:25,000 [root] INFO: Date set to: 08-13-19, time set to: 22:02:25, timeout set to: 200
2019-08-13 23:02:25,015 [root] DEBUG: Starting analyzer from: C:\mzxkdbjufe
2019-08-13 23:02:25,015 [root] DEBUG: Storing results at: C:\TJNCea
2019-08-13 23:02:25,015 [root] DEBUG: Pipe server name: \\.\PIPE\NeBzMRwkB
2019-08-13 23:02:25,015 [root] INFO: Analysis package "TrickBot" has been specified.
2019-08-13 23:02:25,342 [root] DEBUG: Started auxiliary module Browser
2019-08-13 23:02:25,342 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 23:02:25,342 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 23:02:25,576 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 23:02:25,576 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 23:02:25,576 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 23:02:25,576 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 23:02:25,576 [root] DEBUG: Started auxiliary module Human
2019-08-13 23:02:25,576 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 23:02:25,592 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 23:02:25,592 [root] DEBUG: Started auxiliary module Usage
2019-08-13 23:02:25,592 [root] INFO: Analyzer: DLL set to DumpOnAPI.dll from package modules.packages.TrickBot
2019-08-13 23:02:25,592 [root] INFO: Analyzer: DLL_64 set to DumpOnAPI_x64.dll from package modules.packages.TrickBot
2019-08-13 23:02:25,608 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ue4xHo.exe" with arguments "" with pid 1836
2019-08-13 23:02:25,608 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:25,608 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:25,608 [lib.api.process] INFO: 32-bit DLL to inject is C:\mzxkdbjufe\dll\cvXtwZPP.dll, loader C:\mzxkdbjufe\bin\ejkprBf.exe
2019-08-13 23:02:25,654 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:25,654 [root] DEBUG: Loader: Injecting process 1836 (thread 332) with C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:25,654 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:02:25,654 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:25,654 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77110000
2019-08-13 23:02:25,654 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:02:25,654 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:25,654 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:25,670 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1836
2019-08-13 23:02:27,683 [lib.api.process] INFO: Successfully resumed process with pid 1836
2019-08-13 23:02:27,683 [root] INFO: Added new process to list with pid: 1836
2019-08-13 23:02:27,697 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:27,697 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:27,697 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:27,730 [root] DEBUG: CAPE initialised: 32-bit DumpOnAPI package loaded at 0x74950000, process image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:02:27,730 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:27,730 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:27,730 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:27,730 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:27,730 [root] INFO: Monitor successfully loaded in process with pid 1836.
2019-08-13 23:02:27,744 [root] DEBUG: GetHookCallerBase: thread 332 (handle 0x0), return address 0x004012A9, allocation base 0x00400000.
2019-08-13 23:02:27,744 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00400000 main_caller_retaddr 0x004012A9 parent_caller_retaddr 0x00000000.
2019-08-13 23:02:27,744 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:02:27,744 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:02:27,760 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1836_20459509092722714382019
2019-08-13 23:02:27,760 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:02:27,760 [root] DEBUG: Dump-on-API: Dumped module at 0x00400000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:27,760 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:02:27,760 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:02:27,776 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:02:27,776 [root] DEBUG: DLL loaded at 0x74860000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:02:27,822 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:02:27,822 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:02:27,822 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:02:27,854 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:02:27,869 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:02:27,869 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:02:27,901 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 23:02:27,917 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:02:27,917 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:02:27,917 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:02:27,917 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:02:27,947 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:02:27,947 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:02:27,947 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:02:27,963 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:02:27,963 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 23:02:28,009 [root] INFO: Announced 32-bit process name: ропрУВаЫсено.exe pid: 2332
2019-08-13 23:02:28,009 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,009 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,009 [lib.api.process] INFO: 32-bit DLL to inject is C:\mzxkdbjufe\dll\cvXtwZPP.dll, loader C:\mzxkdbjufe\bin\ejkprBf.exe
2019-08-13 23:02:28,009 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,009 [root] DEBUG: Loader: Injecting process 2332 (thread 2380) with C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:28,009 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:02:28,009 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:28,009 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77110000
2019-08-13 23:02:28,009 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:02:28,009 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,009 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:28,009 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2332
2019-08-13 23:02:28,009 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,009 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,009 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,009 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,009 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,009 [root] DEBUG: DLL unloaded from 0x74440000.
2019-08-13 23:02:28,026 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 23:02:28,026 [root] DEBUG: DLL unloaded from 0x74870000.
2019-08-13 23:02:28,026 [root] INFO: Notified of termination of process with pid 1836.
2019-08-13 23:02:28,026 [root] DEBUG: CAPE initialised: 32-bit DumpOnAPI package loaded at 0x74950000, process image base 0x400000, stack from 0x287000-0x290000
2019-08-13 23:02:28,026 [root] INFO: Added new process to list with pid: 2332
2019-08-13 23:02:28,026 [root] INFO: Monitor successfully loaded in process with pid 2332.
2019-08-13 23:02:28,042 [root] DEBUG: GetHookCallerBase: thread 2380 (handle 0x0), return address 0x004012A9, allocation base 0x00400000.
2019-08-13 23:02:28,056 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00400000 main_caller_retaddr 0x004012A9 parent_caller_retaddr 0x00000000.
2019-08-13 23:02:28,056 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:02:28,056 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:02:28,072 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2332_3974036892822714382019
2019-08-13 23:02:28,072 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:02:28,104 [root] DEBUG: Dump-on-API: Dumped module at 0x00400000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,104 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:02:28,119 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:02:28,119 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:02:28,119 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:02:28,119 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:02:28,134 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:02:28,229 [root] DEBUG: DLL unloaded from 0x75790000.
2019-08-13 23:02:28,276 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:02:28,276 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:02:28,276 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:02:28,290 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:02:28,290 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:02:28,322 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,368 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,368 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:02:28,384 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:02:28,384 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:02:28,400 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:02:28,400 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:02:28,400 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:02:28,400 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:02:28,400 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:02:28,431 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 23:02:28,447 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1308
2019-08-13 23:02:28,447 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,447 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,447 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,477 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,477 [root] DEBUG: Loader: Injecting process 1308 (thread 1224) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,477 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,509 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,540 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,540 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,555 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,555 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,555 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1308
2019-08-13 23:02:28,572 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,572 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 23:02:28,572 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:28,572 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,572 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,588 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,588 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,588 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,588 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2900
2019-08-13 23:02:28,588 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,588 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,588 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,588 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,588 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,602 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,602 [root] DEBUG: Loader: Injecting process 2900 (thread 884) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,602 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,602 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,602 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,602 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,602 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,602 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,602 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2900
2019-08-13 23:02:28,602 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,602 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:28,602 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,618 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,618 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,618 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2764
2019-08-13 23:02:28,618 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,618 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,618 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,618 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,618 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,618 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,618 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,634 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:02:28,634 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 23:02:28,634 [root] INFO: Added new process to list with pid: 2900
2019-08-13 23:02:28,634 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,634 [root] INFO: Monitor successfully loaded in process with pid 2900.
2019-08-13 23:02:28,634 [root] INFO: Added new process to list with pid: 1308
2019-08-13 23:02:28,634 [root] DEBUG: Loader: Injecting process 2764 (thread 2648) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,634 [root] INFO: Monitor successfully loaded in process with pid 1308.
2019-08-13 23:02:28,634 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,634 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,634 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,650 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,650 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,650 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,650 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2764
2019-08-13 23:02:28,650 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,650 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:28,650 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,650 [root] DEBUG: GetHookCallerBase: thread 884 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:28,650 [root] DEBUG: GetHookCallerBase: thread 1224 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:28,650 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:28,650 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,650 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,650 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:28,650 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,665 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,665 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:28,665 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:28,665 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,665 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:28,665 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:28,665 [root] INFO: Announced 64-bit process name: cmd.exe pid: 880
2019-08-13 23:02:28,665 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,665 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,665 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,665 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,665 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,665 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000000E4000-0x00000000001E0000
2019-08-13 23:02:28,665 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,680 [root] INFO: Added new process to list with pid: 2764
2019-08-13 23:02:28,680 [root] INFO: Monitor successfully loaded in process with pid 2764.
2019-08-13 23:02:28,680 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:02:28,680 [root] DEBUG: GetHookCallerBase: thread 2648 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:28,680 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,680 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:02:28,680 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:28,680 [root] DEBUG: Loader: Injecting process 880 (thread 624) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,680 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:02:28,680 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,680 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:28,680 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\mzxkdbjufe\CAPE\1308_11466475142822714382019
2019-08-13 23:02:28,680 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,680 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:28,680 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2900_2055477242822714382019
2019-08-13 23:02:28,680 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,680 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,680 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:28,697 [root] INFO: Process with pid 1836 has terminated
2019-08-13 23:02:28,697 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,697 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,711 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,711 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1308_11466475142822714382019
2019-08-13 23:02:28,711 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,711 [root] DEBUG: DumpRegion: Dumped stack region from 0x0000000049DC0000, size 0x59000.
2019-08-13 23:02:28,711 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 880
2019-08-13 23:02:28,711 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2764_18260640242822714382019
2019-08-13 23:02:28,711 [root] DEBUG: Dump-on-API: Dumped memory region at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,711 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,711 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:28,711 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:28,727 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:28,727 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:28,727 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,727 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,727 [root] INFO: Announced 64-bit process name: sc.exe pid: 2884
2019-08-13 23:02:28,727 [root] INFO: Announced 64-bit process name: sc.exe pid: 2992
2019-08-13 23:02:28,727 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,727 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,727 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,727 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,727 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,727 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,727 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,727 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,727 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,727 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,727 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,727 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,727 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:28,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,743 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1748
2019-08-13 23:02:28,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,743 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3052
2019-08-13 23:02:28,743 [root] DEBUG: Loader: Injecting process 2992 (thread 764) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,743 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000000B4000-0x00000000001B0000
2019-08-13 23:02:28,743 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,743 [root] DEBUG: Loader: Injecting process 2884 (thread 2964) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,743 [root] DEBUG: Process image base: 0x00000000FFDB0000
2019-08-13 23:02:28,743 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,743 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,743 [root] INFO: Added new process to list with pid: 880
2019-08-13 23:02:28,743 [root] DEBUG: Process image base: 0x00000000FFDB0000
2019-08-13 23:02:28,743 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,743 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,743 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,743 [root] INFO: Monitor successfully loaded in process with pid 880.
2019-08-13 23:02:28,743 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,743 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFDBF000 - 0x000007FEFF430000
2019-08-13 23:02:28,759 [root] DEBUG: GetHookCallerBase: thread 624 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFDBF000 - 0x000007FEFF430000
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00000000FFDC0000.
2019-08-13 23:02:28,759 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,759 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:28,759 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00000000FFDC0000.
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,759 [root] DEBUG: Loader: Injecting process 1748 (thread 1568) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,759 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:28,759 [root] DEBUG: Loader: Injecting process 3052 (thread 1812) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,759 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,759 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,759 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:28,759 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:28,759 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,759 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2992
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,759 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,775 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2884
2019-08-13 23:02:28,775 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,775 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,775 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,775 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,775 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,775 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,775 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,775 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:28,775 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,775 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,775 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1748
2019-08-13 23:02:28,775 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:28,775 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,775 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\880_15465962912822714382019
2019-08-13 23:02:28,775 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,775 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,789 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,789 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:28,789 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,789 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,789 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:28,789 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,789 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,789 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,789 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFDB0000, stack from 0x00000000000D5000-0x00000000000E0000
2019-08-13 23:02:28,789 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFDB0000, stack from 0x00000000000D5000-0x00000000000E0000
2019-08-13 23:02:28,789 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,789 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3052
2019-08-13 23:02:28,805 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,805 [root] INFO: Added new process to list with pid: 2884
2019-08-13 23:02:28,805 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,805 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:28,805 [root] INFO: Monitor successfully loaded in process with pid 2884.
2019-08-13 23:02:28,805 [root] INFO: Added new process to list with pid: 2992
2019-08-13 23:02:28,805 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,805 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,805 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2216
2019-08-13 23:02:28,805 [root] INFO: Monitor successfully loaded in process with pid 2992.
2019-08-13 23:02:28,805 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,805 [root] INFO: Announced 64-bit process name: cmd.exe pid: 972
2019-08-13 23:02:28,805 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,822 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000094000-0x0000000000190000
2019-08-13 23:02:28,822 [root] DEBUG: GetHookCallerBase: thread 764 (handle 0x0), return address 0x00000000FFDB1D01, allocation base 0x00000000FFDB0000.
2019-08-13 23:02:28,822 [root] DEBUG: GetHookCallerBase: thread 2964 (handle 0x0), return address 0x00000000FFDB1D01, allocation base 0x00000000FFDB0000.
2019-08-13 23:02:28,822 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,822 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,822 [root] INFO: Added new process to list with pid: 1748
2019-08-13 23:02:28,822 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFDB0000 main_caller_retaddr 0x00000000FFDB1D01 parent_caller_retaddr 0x00000000FFDB1E7B.
2019-08-13 23:02:28,822 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFDB0000 main_caller_retaddr 0x00000000FFDB1D01 parent_caller_retaddr 0x00000000FFDB1E7B.
2019-08-13 23:02:28,822 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,822 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,822 [root] INFO: Monitor successfully loaded in process with pid 1748.
2019-08-13 23:02:28,822 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,822 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFDB0000.
2019-08-13 23:02:28,822 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFDB0000.
2019-08-13 23:02:28,822 [root] DEBUG: GetHookCallerBase: thread 1568 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:28,822 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,822 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,822 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:02:28,822 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:02:28,836 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:28,836 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,836 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,836 [root] DEBUG: Loader: Injecting process 2216 (thread 2352) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,836 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,836 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:28,836 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,836 [root] DEBUG: Loader: Injecting process 972 (thread 1652) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,836 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,836 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:28,836 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:28,836 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:02:28,836 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,836 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,836 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:02:28,836 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,836 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,836 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:28,836 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2992_19975771082822714382019
2019-08-13 23:02:28,836 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,852 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:02:28,852 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:28,852 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,852 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000256000-0x0000000000260000
2019-08-13 23:02:28,852 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:02:28,852 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\mzxkdbjufe\CAPE\2884_15668165702822714382019
2019-08-13 23:02:28,852 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,852 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,852 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FFDB0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,852 [root] INFO: Added new process to list with pid: 3052
2019-08-13 23:02:28,852 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,852 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,868 [root] INFO: Monitor successfully loaded in process with pid 3052.
2019-08-13 23:02:28,868 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 23:02:28,868 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2216
2019-08-13 23:02:28,868 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1748_11116064162822714382019
2019-08-13 23:02:28,868 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,868 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2884_15668165702822714382019
2019-08-13 23:02:28,868 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:28,868 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 972
2019-08-13 23:02:28,868 [root] DEBUG: DumpRegion: Dumped stack region from 0x00000000FFDB0000, size 0xf000.
2019-08-13 23:02:28,868 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,868 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,868 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,884 [root] DEBUG: Dump-on-API: Dumped memory region at 0x00000000FFDB0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,884 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,884 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:28,884 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:28,884 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,884 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 23:02:28,884 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,884 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1080
2019-08-13 23:02:28,884 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,884 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,884 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,884 [root] DEBUG: GetHookCallerBase: thread 1812 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:28,900 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,900 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,900 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:28,900 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,900 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,900 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,900 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:28,900 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,900 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:28,900 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000000F5000-0x0000000000100000
2019-08-13 23:02:28,914 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000144000-0x0000000000240000
2019-08-13 23:02:28,914 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1592
2019-08-13 23:02:28,914 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:28,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,914 [root] INFO: Added new process to list with pid: 2216
2019-08-13 23:02:28,914 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:28,914 [root] DEBUG: Loader: Injecting process 1080 (thread 2928) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,914 [root] INFO: Monitor successfully loaded in process with pid 2216.
2019-08-13 23:02:28,914 [root] INFO: Added new process to list with pid: 972
2019-08-13 23:02:28,914 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:28,914 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,914 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:28,914 [root] INFO: Monitor successfully loaded in process with pid 972.
2019-08-13 23:02:28,914 [root] DEBUG: GetHookCallerBase: thread 2352 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:28,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:28,914 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,914 [root] DEBUG: GetHookCallerBase: thread 1652 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:28,914 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:28,914 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:28,914 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:28,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:28,930 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:28,930 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:28,930 [root] DEBUG: Loader: Injecting process 1592 (thread 2324) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,930 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:28,930 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:28,930 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,930 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3052_17753346272822714382019
2019-08-13 23:02:28,930 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:28,930 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:28,930 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,930 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:28,930 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,930 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,930 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1080
2019-08-13 23:02:28,930 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:28,930 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,946 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:28,946 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:02:28,946 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,946 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:28,946 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:28,946 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:28,946 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:28,946 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:02:28,946 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,946 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2216_3470133152822714382019
2019-08-13 23:02:28,946 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:28,946 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:02:28,946 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,946 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:28,946 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:28,946 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:28,946 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\mzxkdbjufe\CAPE\972_19970880962822714382019
2019-08-13 23:02:28,946 [root] INFO: Notified of termination of process with pid 2884.
2019-08-13 23:02:28,946 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,961 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,961 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1592
2019-08-13 23:02:28,961 [root] INFO: Notified of termination of process with pid 2992.
2019-08-13 23:02:28,961 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:28,961 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:28,961 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:28,961 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000245000-0x0000000000250000
2019-08-13 23:02:28,961 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:28,961 [root] INFO: Notified of termination of process with pid 2900.
2019-08-13 23:02:28,977 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:28,977 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:28,977 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:28,977 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:28,977 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\972_19970880962822714382019
2019-08-13 23:02:28,977 [root] INFO: Added new process to list with pid: 1080
2019-08-13 23:02:28,977 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:28,977 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:28,977 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:28,977 [root] DEBUG: DumpRegion: Dumped stack region from 0x0000000049DC0000, size 0x59000.
2019-08-13 23:02:28,977 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:28,977 [root] INFO: Monitor successfully loaded in process with pid 1080.
2019-08-13 23:02:28,977 [root] INFO: Notified of termination of process with pid 1308.
2019-08-13 23:02:28,977 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:28,993 [root] DEBUG: Dump-on-API: Dumped memory region at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:28,993 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:28,993 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:28,993 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:28,993 [root] DEBUG: GetHookCallerBase: thread 2928 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:28,993 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:28,993 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:28,993 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:29,009 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:29,009 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:29,009 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:29,009 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2708
2019-08-13 23:02:29,009 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001D4000-0x00000000002D0000
2019-08-13 23:02:29,009 [root] INFO: Announced 64-bit process name: cmd.exe pid: 544
2019-08-13 23:02:29,009 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:29,009 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:29,023 [root] INFO: Added new process to list with pid: 1592
2019-08-13 23:02:29,023 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,023 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:29,023 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:29,023 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:29,023 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,023 [root] INFO: Monitor successfully loaded in process with pid 1592.
2019-08-13 23:02:29,023 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,023 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:29,023 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,023 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:29,023 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:29,023 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,023 [root] DEBUG: GetHookCallerBase: thread 2324 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:29,023 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,023 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:29,039 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:29,039 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:29,039 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:29,039 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:29,039 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:29,039 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:29,039 [root] DEBUG: Loader: Injecting process 2708 (thread 2212) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,039 [root] DEBUG: Loader: Injecting process 544 (thread 3008) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,039 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1080_1254535682922714382019
2019-08-13 23:02:29,055 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:29,055 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:29,055 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:29,055 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:29,055 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:29,055 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:29,055 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:29,055 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,055 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,071 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:29,071 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:29,071 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:29,071 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:29,071 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:29,071 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:29,071 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:29,071 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:29,086 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:29,101 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1592_14828789602922714382019
2019-08-13 23:02:29,101 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:29,118 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:29,118 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:29,118 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:29,118 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:29,118 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:29,211 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,211 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2708
2019-08-13 23:02:29,226 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:29,257 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:29,257 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:29,257 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,273 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 544
2019-08-13 23:02:29,289 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:29,289 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:29,289 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:29,321 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:29,321 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:29,321 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2924
2019-08-13 23:02:29,368 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:29,368 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:29,368 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:29,368 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,368 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,368 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,398 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:29,414 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:29,414 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:29,430 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:29,430 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:29,430 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:29,446 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000145000-0x0000000000150000
2019-08-13 23:02:29,446 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:29,446 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:29,446 [root] DEBUG: Loader: Injecting process 2924 (thread 2824) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,446 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:29,446 [root] INFO: Added new process to list with pid: 2708
2019-08-13 23:02:29,446 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:29,446 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:29,460 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2104
2019-08-13 23:02:29,460 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:29,460 [root] INFO: Monitor successfully loaded in process with pid 2708.
2019-08-13 23:02:29,460 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:29,460 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,460 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:29,460 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:29,476 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,476 [root] DEBUG: GetHookCallerBase: thread 2212 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:29,476 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:29,476 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:29,476 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,492 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:29,492 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000000B4000-0x00000000001B0000
2019-08-13 23:02:29,492 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:29,492 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:29,492 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,492 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:29,492 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:29,492 [root] INFO: Added new process to list with pid: 544
2019-08-13 23:02:29,492 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:29,492 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:29,492 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:29,492 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:29,492 [root] INFO: Monitor successfully loaded in process with pid 544.
2019-08-13 23:02:29,507 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:29,507 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:29,507 [root] DEBUG: Loader: Injecting process 2104 (thread 2116) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,507 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:29,507 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:29,507 [root] DEBUG: GetHookCallerBase: thread 3008 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:29,507 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,507 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,555 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:29,555 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2924
2019-08-13 23:02:29,555 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:29,555 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:29,555 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:29,569 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2708_18882569482922714382019
2019-08-13 23:02:29,569 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:29,569 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:29,569 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:29,569 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:29,569 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:29,569 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:29,569 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:29,569 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:29,569 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,585 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:29,585 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2104
2019-08-13 23:02:29,585 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:29,585 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:29,617 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:29,617 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000195000-0x00000000001A0000
2019-08-13 23:02:29,617 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:29,617 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\544_625814362922714382019
2019-08-13 23:02:29,617 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:29,617 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:29,617 [root] INFO: Added new process to list with pid: 2924
2019-08-13 23:02:29,617 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:29,632 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:29,632 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:29,632 [root] INFO: Monitor successfully loaded in process with pid 2924.
2019-08-13 23:02:29,632 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:29,632 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:29,632 [root] DEBUG: GetHookCallerBase: thread 2824 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:29,632 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:29,648 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:29,648 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:29,648 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:29,648 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:29,664 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:29,664 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:29,664 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:29,664 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1788
2019-08-13 23:02:29,664 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:29,680 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3036
2019-08-13 23:02:29,680 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:29,680 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000114000-0x0000000000210000
2019-08-13 23:02:29,680 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:29,680 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,680 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:29,694 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:29,694 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,710 [root] INFO: Added new process to list with pid: 2104
2019-08-13 23:02:29,710 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:29,710 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,710 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,710 [root] INFO: Monitor successfully loaded in process with pid 2104.
2019-08-13 23:02:29,726 [root] INFO: Process with pid 2900 has terminated
2019-08-13 23:02:29,726 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,742 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:29,742 [root] DEBUG: GetHookCallerBase: thread 2116 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:29,742 [root] INFO: Process with pid 2884 has terminated
2019-08-13 23:02:29,742 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:29,742 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,742 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2924_4204765822922714382019
2019-08-13 23:02:29,742 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:29,757 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:29,757 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:29,757 [root] DEBUG: Loader: Injecting process 1788 (thread 1872) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,757 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:29,773 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:29,773 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:29,773 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:29,773 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:29,773 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:29,773 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:29,773 [root] DEBUG: Loader: Injecting process 3036 (thread 2916) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,773 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:29,773 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:29,773 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:29,773 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,773 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:29,789 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:29,789 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:29,851 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:29,851 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:29,867 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,881 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:29,898 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:29,898 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:29,898 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:29,898 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:29,898 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2104_6432982402922714382019
2019-08-13 23:02:29,914 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:29,914 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,914 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:29,914 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:29,914 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1788
2019-08-13 23:02:29,914 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:29,928 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:29,928 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:29,928 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:29,928 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:29,928 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:29,928 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:29,944 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2128
2019-08-13 23:02:29,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3036
2019-08-13 23:02:29,944 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:29,944 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:29,944 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:29,944 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:29,944 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:29,960 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:29,960 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:29,960 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:29,960 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:29,960 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:29,960 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:29,960 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:29,960 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:29,976 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:29,976 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:29,976 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000235000-0x0000000000240000
2019-08-13 23:02:29,976 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:30,006 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:30,023 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:30,038 [root] INFO: Added new process to list with pid: 1788
2019-08-13 23:02:30,038 [root] INFO: Monitor successfully loaded in process with pid 1788.
2019-08-13 23:02:30,038 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:30,038 [root] DEBUG: Loader: Injecting process 2128 (thread 2636) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,038 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:30,038 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:30,053 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:30,069 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:30,069 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:30,069 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:30,069 [root] DEBUG: GetHookCallerBase: thread 1872 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:30,069 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,069 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2076
2019-08-13 23:02:30,085 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:30,085 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:30,085 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:30,085 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:30,101 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:30,101 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000114000-0x0000000000210000
2019-08-13 23:02:30,101 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:30,115 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:30,115 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:30,131 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:30,131 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:30,131 [root] INFO: Added new process to list with pid: 3036
2019-08-13 23:02:30,131 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:30,131 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:30,131 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:30,131 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:30,131 [root] INFO: Monitor successfully loaded in process with pid 3036.
2019-08-13 23:02:30,148 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:30,148 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,163 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:30,163 [root] DEBUG: GetHookCallerBase: thread 2916 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:30,163 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:30,163 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2128
2019-08-13 23:02:30,163 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:30,178 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:30,178 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:30,178 [root] DEBUG: Loader: Injecting process 2076 (thread 3016) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,210 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:30,226 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:30,226 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1788_3787751003022714382019
2019-08-13 23:02:30,226 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:30,226 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:30,226 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:30,226 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:30,226 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:30,226 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:30,226 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:30,240 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:30,240 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,240 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:30,240 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:30,240 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:30,240 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:30,240 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:30,240 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:30,272 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:30,272 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:30,272 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:30,288 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:30,288 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:30,288 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:30,288 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:30,288 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:30,288 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:30,288 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000285000-0x0000000000290000
2019-08-13 23:02:30,288 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3036_14185159373022714382019
2019-08-13 23:02:30,303 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,303 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:30,303 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:30,303 [root] INFO: Added new process to list with pid: 2128
2019-08-13 23:02:30,303 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:30,319 [root] INFO: Monitor successfully loaded in process with pid 2128.
2019-08-13 23:02:30,319 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:30,319 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:30,319 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:30,319 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GT5VN8I2D076GVITBR4U.temp'
2019-08-13 23:02:30,319 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:30,319 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2076
2019-08-13 23:02:30,319 [root] DEBUG: GetHookCallerBase: thread 2636 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:30,319 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:30,335 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:30,335 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GT5VN8I2D076GVITBR4U.temp'
2019-08-13 23:02:30,335 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:30,335 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:30,335 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:30,335 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:30,335 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:30,335 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:30,335 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:30,335 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1940
2019-08-13 23:02:30,335 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:30,335 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:30,349 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:30,349 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GT5VN8I2D076GVITBR4U.temp'
2019-08-13 23:02:30,349 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:30,349 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:30,349 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:30,349 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:30,349 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:30,349 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP'
2019-08-13 23:02:30,365 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:30,365 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:30,365 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:30,365 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:30,365 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:30,365 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:30,365 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:30,365 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:30,365 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:30,365 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:30,381 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp" does not exist, skip.
2019-08-13 23:02:30,381 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:30,381 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3096
2019-08-13 23:02:30,381 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000204000-0x0000000000300000
2019-08-13 23:02:30,397 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:30,397 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:30,397 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2128_10288288803022714382019
2019-08-13 23:02:30,397 [root] DEBUG: Loader: Injecting process 1940 (thread 1132) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,397 [root] INFO: Added new process to list with pid: 2076
2019-08-13 23:02:30,397 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:30,397 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:30,397 [root] INFO: Monitor successfully loaded in process with pid 2076.
2019-08-13 23:02:30,397 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:30,397 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:30,397 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp" does not exist, skip.
2019-08-13 23:02:30,397 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:30,397 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:30,413 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,413 [root] DEBUG: GetHookCallerBase: thread 3016 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:30,413 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:30,413 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:30,413 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:30,413 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:30,413 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:30,413 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:30,413 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:30,413 [root] DEBUG: Loader: Injecting process 3096 (thread 3100) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,427 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:30,427 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:30,427 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:30,427 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:30,427 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:30,427 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:30,427 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:30,427 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,427 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:30,444 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:30,444 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:30,444 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:30,444 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:30,506 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,522 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:30,522 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:30,522 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:30,522 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1940
2019-08-13 23:02:30,538 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:30,538 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:30,538 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:30,584 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:30,584 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:30,584 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,584 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2076_16775666083022714382019
2019-08-13 23:02:30,584 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:30,599 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:30,599 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:30,599 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3096
2019-08-13 23:02:30,599 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:30,599 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:30,599 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:30,615 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:30,615 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:30,615 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:30,631 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:30,631 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:30,631 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:30,631 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:30,631 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:30,631 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:30,631 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:30,647 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:30,661 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:30,661 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:30,677 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000000A6000-0x00000000000B0000
2019-08-13 23:02:30,677 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:30,677 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:30,677 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:30,677 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:30,677 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\0APC9KQAIRF3FLVWD9IP.temp'
2019-08-13 23:02:30,677 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3408
2019-08-13 23:02:30,677 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:30,677 [root] INFO: Added new process to list with pid: 1940
2019-08-13 23:02:30,677 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\XGUL1F4093BOFQLKJXLP.temp'
2019-08-13 23:02:30,694 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\0APC9KQAIRF3FLVWD9IP.temp'
2019-08-13 23:02:30,709 [root] INFO: Monitor successfully loaded in process with pid 1940.
2019-08-13 23:02:30,709 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:30,709 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:30,709 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\XGUL1F4093BOFQLKJXLP.temp'
2019-08-13 23:02:30,724 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:30,724 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:30,724 [root] DEBUG: GetHookCallerBase: thread 1132 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:30,724 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:30,724 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:30,740 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\0APC9KQAIRF3FLVWD9IP.temp'
2019-08-13 23:02:30,756 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:30,740 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000054000-0x0000000000150000
2019-08-13 23:02:30,756 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:30,756 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:30,756 [root] INFO: Announced 32-bit process name: ропрУВаЫсено.exe pid: 3568
2019-08-13 23:02:30,786 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP'
2019-08-13 23:02:30,802 [root] INFO: Process with pid 1308 has terminated
2019-08-13 23:02:30,802 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\XGUL1F4093BOFQLKJXLP.temp'
2019-08-13 23:02:30,818 [root] INFO: Added new process to list with pid: 3096
2019-08-13 23:02:30,818 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:30,818 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:30,818 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:30,818 [root] INFO: Process with pid 2992 has terminated
2019-08-13 23:02:30,818 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:30,818 [root] INFO: Monitor successfully loaded in process with pid 3096.
2019-08-13 23:02:30,818 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:30,818 [root] DEBUG: Loader: Injecting process 3408 (thread 3412) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,818 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:30,834 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP'
2019-08-13 23:02:30,834 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp" does not exist, skip.
2019-08-13 23:02:30,834 [root] DEBUG: GetHookCallerBase: thread 3100 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:30,834 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:30,834 [lib.api.process] INFO: 32-bit DLL to inject is C:\mzxkdbjufe\dll\cvXtwZPP.dll, loader C:\mzxkdbjufe\bin\ejkprBf.exe
2019-08-13 23:02:30,834 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:30,849 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:30,849 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:30,849 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,865 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:30,865 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:30,865 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:30,865 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp" does not exist, skip.
2019-08-13 23:02:30,865 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:30,881 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp" does not exist, skip.
2019-08-13 23:02:30,881 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:30,895 [root] DEBUG: Loader: Injecting process 3568 (thread 3572) with C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:30,895 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\1940_13366076543022714382019
2019-08-13 23:02:30,895 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:30,895 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:02:30,895 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:30,911 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:30,911 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:30,927 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:30,927 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:30,927 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:30,927 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:30,927 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:30,927 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:30,927 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp" does not exist, skip.
2019-08-13 23:02:30,927 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77110000
2019-08-13 23:02:30,927 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:30,943 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3408
2019-08-13 23:02:30,943 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:30,943 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:02:30,943 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3096_6480747523022714382019
2019-08-13 23:02:30,943 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:30,943 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:30,959 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:30,959 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:30,959 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:30,959 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:30,959 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:30,959 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:30,959 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\cvXtwZPP.dll.
2019-08-13 23:02:30,959 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:30,990 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:30,990 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:30,990 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3568
2019-08-13 23:02:30,990 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:31,006 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:31,006 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:31,006 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:31,006 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:31,006 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:31,020 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3840
2019-08-13 23:02:31,020 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:31,020 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000001D5000-0x00000000001E0000
2019-08-13 23:02:31,020 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:31,036 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:31,036 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:31,036 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:31,036 [root] INFO: Added new process to list with pid: 3408
2019-08-13 23:02:31,036 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:31,036 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:31,036 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:31,036 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:31,036 [root] INFO: Monitor successfully loaded in process with pid 3408.
2019-08-13 23:02:31,052 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:31,052 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:31,052 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:31,052 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:31,052 [root] DEBUG: GetHookCallerBase: thread 3412 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:31,052 [root] DEBUG: CAPE initialised: 32-bit DumpOnAPI package loaded at 0x74950000, process image base 0x400000, stack from 0x287000-0x290000
2019-08-13 23:02:31,068 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:31,068 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:31,068 [root] INFO: Added new process to list with pid: 3568
2019-08-13 23:02:31,084 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:31,084 [root] INFO: Monitor successfully loaded in process with pid 3568.
2019-08-13 23:02:31,084 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:31,098 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:31,098 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:31,098 [root] DEBUG: Loader: Injecting process 3840 (thread 3844) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:31,098 [root] DEBUG: GetHookCallerBase: thread 3572 (handle 0x0), return address 0x004012A9, allocation base 0x00400000.
2019-08-13 23:02:31,098 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:31,098 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:31,098 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:31,098 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00400000 main_caller_retaddr 0x004012A9 parent_caller_retaddr 0x00000000.
2019-08-13 23:02:31,115 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:31,115 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:02:31,115 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:31,130 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:31,130 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:02:31,145 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3408_7941983653122714382019
2019-08-13 23:02:31,145 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:31,145 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:31,161 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:31,161 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3568_1574654163122714382019
2019-08-13 23:02:31,161 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:02:31,161 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:31,161 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:31,161 [root] DEBUG: Dump-on-API: Dumped module at 0x00400000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:31,177 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3840
2019-08-13 23:02:31,177 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:02:31,193 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:31,193 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:31,193 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:31,193 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:02:31,223 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:31,240 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:02:31,240 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:31,240 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:31,240 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:02:31,255 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:31,255 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000155000-0x0000000000160000
2019-08-13 23:02:31,255 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:02:31,286 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:31,302 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:02:31,302 [root] INFO: Added new process to list with pid: 3840
2019-08-13 23:02:31,302 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:31,302 [root] INFO: Monitor successfully loaded in process with pid 3840.
2019-08-13 23:02:31,302 [root] DEBUG: DLL unloaded from 0x75790000.
2019-08-13 23:02:31,318 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:31,318 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:31,318 [root] DEBUG: GetHookCallerBase: thread 3844 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:31,318 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:31,348 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:31,348 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:31,348 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:31,348 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:31,348 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:31,348 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:31,348 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:31,380 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:31,380 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:31,380 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:02:31,441 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:31,457 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:02:31,489 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:02:31,519 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:02:31,519 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3840_757763363122714382019
2019-08-13 23:02:31,519 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:02:31,519 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:31,519 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:31,519 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:31,536 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:31,536 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:31,536 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:31,536 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:02:31,552 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:02:31,582 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:31,582 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:02:31,598 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:31,598 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:02:31,630 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:31,630 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:02:31,630 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:02:31,644 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:31,661 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3400
2019-08-13 23:02:31,661 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:31,661 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 23:02:31,661 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:31,661 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:31,661 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:31,676 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:31,676 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:31,676 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:31,676 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:31,691 [root] DEBUG: Loader: Injecting process 3400 (thread 3440) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:31,691 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:31,769 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:31,786 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:31,786 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:31,848 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:31,848 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:31,941 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:31,941 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3400
2019-08-13 23:02:31,957 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:32,019 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 23:02:32,019 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 23:02:32,019 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:32,035 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:32,035 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,035 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 23:02:32,051 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:32,051 [root] DEBUG: DLL unloaded from 0x74870000.
2019-08-13 23:02:32,051 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,051 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:32,051 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,051 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,051 [root] INFO: Notified of termination of process with pid 2332.
2019-08-13 23:02:32,051 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3688
2019-08-13 23:02:32,065 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,065 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,065 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,082 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001A4000-0x00000000002A0000
2019-08-13 23:02:32,082 [root] INFO: Added new process to list with pid: 3400
2019-08-13 23:02:32,082 [root] INFO: Monitor successfully loaded in process with pid 3400.
2019-08-13 23:02:32,098 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,098 [root] DEBUG: GetHookCallerBase: thread 3440 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:32,098 [root] DEBUG: Loader: Injecting process 3688 (thread 3692) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,098 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:32,098 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:32,098 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:32,098 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,112 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:32,112 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:32,112 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:32,128 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:32,144 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:32,144 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:32,160 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:32,160 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,160 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:32,160 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,160 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:32,160 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3688
2019-08-13 23:02:32,190 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:32,190 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3400_18014592903222714382019
2019-08-13 23:02:32,190 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:32,190 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:32,207 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:32,207 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:32,207 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,207 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:32,207 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:32,207 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,221 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:32,221 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,221 [root] INFO: Announced 64-bit process name: sc.exe pid: 3864
2019-08-13 23:02:32,221 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3900
2019-08-13 23:02:32,221 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,221 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,221 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,221 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,237 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,237 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,237 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,237 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001D4000-0x00000000002D0000
2019-08-13 23:02:32,237 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,237 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,237 [root] INFO: Added new process to list with pid: 3688
2019-08-13 23:02:32,237 [root] DEBUG: Loader: Injecting process 3864 (thread 3872) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,237 [root] DEBUG: Loader: Injecting process 3900 (thread 3904) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,237 [root] INFO: Monitor successfully loaded in process with pid 3688.
2019-08-13 23:02:32,253 [root] DEBUG: Process image base: 0x00000000FFEE0000
2019-08-13 23:02:32,253 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:32,253 [root] DEBUG: GetHookCallerBase: thread 3692 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:32,253 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,253 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,253 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:32,253 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:32,253 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFEEF000 - 0x000007FEFF430000
2019-08-13 23:02:32,253 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:32,269 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:32,269 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:32,269 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00000000FFEF0000.
2019-08-13 23:02:32,269 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:32,269 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:32,285 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,285 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,285 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:32,285 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,285 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,285 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3864
2019-08-13 23:02:32,299 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3900
2019-08-13 23:02:32,299 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TM14MRXND5PWCF2BP1WP.temp'
2019-08-13 23:02:32,299 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,315 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:32,315 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,315 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TM14MRXND5PWCF2BP1WP.temp'
2019-08-13 23:02:32,315 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,315 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:32,315 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3688_7903154963222714382019
2019-08-13 23:02:32,332 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,332 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:32,332 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,332 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:32,332 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:32,332 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,332 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TM14MRXND5PWCF2BP1WP.temp'
2019-08-13 23:02:32,346 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:32,346 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,346 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:32,346 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,346 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP'
2019-08-13 23:02:32,362 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:32,378 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:32,378 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000184000-0x0000000000280000
2019-08-13 23:02:32,378 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3468
2019-08-13 23:02:32,378 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFEE0000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 23:02:32,378 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:32,378 [root] INFO: Announced 64-bit process name: sc.exe pid: 3372
2019-08-13 23:02:32,378 [root] INFO: Added new process to list with pid: 3900
2019-08-13 23:02:32,394 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,394 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp" does not exist, skip.
2019-08-13 23:02:32,394 [root] INFO: Monitor successfully loaded in process with pid 3900.
2019-08-13 23:02:32,394 [root] INFO: Added new process to list with pid: 3864
2019-08-13 23:02:32,394 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,394 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,394 [root] INFO: Monitor successfully loaded in process with pid 3864.
2019-08-13 23:02:32,410 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,410 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,410 [root] DEBUG: GetHookCallerBase: thread 3872 (handle 0x0), return address 0x00000000FFEE1D01, allocation base 0x00000000FFEE0000.
2019-08-13 23:02:32,410 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,410 [root] DEBUG: GetHookCallerBase: thread 3904 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:32,410 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,410 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFEE0000 main_caller_retaddr 0x00000000FFEE1D01 parent_caller_retaddr 0x00000000FFEE1E7B.
2019-08-13 23:02:32,410 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:32,410 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,410 [root] DEBUG: Loader: Injecting process 3468 (thread 3488) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,424 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFEE0000.
2019-08-13 23:02:32,424 [root] DEBUG: Loader: Injecting process 3372 (thread 3376) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,424 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:02:32,424 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:32,424 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:32,424 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:32,424 [root] DEBUG: Process image base: 0x00000000FFEE0000
2019-08-13 23:02:32,440 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:32,440 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,440 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,440 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:32,440 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:32,440 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFEEF000 - 0x000007FEFF430000
2019-08-13 23:02:32,440 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3864_818613883222714382019
2019-08-13 23:02:32,456 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:32,456 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00000000FFEF0000.
2019-08-13 23:02:32,456 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:02:32,456 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,456 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,456 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FFEE0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:32,456 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,471 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3900_9763207203222714382019
2019-08-13 23:02:32,471 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,471 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3468
2019-08-13 23:02:32,471 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3372
2019-08-13 23:02:32,471 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:32,487 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,487 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:32,487 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:32,487 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:32,487 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,487 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,487 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:32,487 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:32,503 [root] INFO: Notified of termination of process with pid 3864.
2019-08-13 23:02:32,503 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:32,503 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,503 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,503 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp" does not exist, skip.
2019-08-13 23:02:32,503 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:32,503 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:32,503 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3856
2019-08-13 23:02:32,519 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,519 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,519 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:32,519 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:32,519 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:32,519 [root] INFO: Notified of termination of process with pid 3400.
2019-08-13 23:02:32,533 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFEE0000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 23:02:32,533 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,549 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:32,549 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,549 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:32,549 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:32,549 [root] INFO: Added new process to list with pid: 3372
2019-08-13 23:02:32,549 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,565 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001A4000-0x00000000002A0000
2019-08-13 23:02:32,581 [root] INFO: Monitor successfully loaded in process with pid 3372.
2019-08-13 23:02:32,581 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3992
2019-08-13 23:02:32,581 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,581 [root] INFO: Added new process to list with pid: 3468
2019-08-13 23:02:32,581 [root] DEBUG: GetHookCallerBase: thread 3376 (handle 0x0), return address 0x00000000FFEE1D01, allocation base 0x00000000FFEE0000.
2019-08-13 23:02:32,581 [root] INFO: Monitor successfully loaded in process with pid 3468.
2019-08-13 23:02:32,596 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,596 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,596 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KR0QH5J9UJHK8Z3F4BND.temp'
2019-08-13 23:02:32,596 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFEE0000 main_caller_retaddr 0x00000000FFEE1D01 parent_caller_retaddr 0x00000000FFEE1E7B.
2019-08-13 23:02:32,596 [root] DEBUG: GetHookCallerBase: thread 3488 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:32,596 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,596 [root] DEBUG: Loader: Injecting process 3856 (thread 3860) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,596 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KR0QH5J9UJHK8Z3F4BND.temp'
2019-08-13 23:02:32,628 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFEE0000.
2019-08-13 23:02:32,628 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,644 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:32,644 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:02:32,658 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:32,674 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:32,674 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:32,674 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:32,674 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:32,674 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,690 [root] DEBUG: Loader: Injecting process 3992 (thread 3996) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,690 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KR0QH5J9UJHK8Z3F4BND.temp'
2019-08-13 23:02:32,690 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:32,690 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:32,690 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:32,690 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:32,690 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP'
2019-08-13 23:02:32,706 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:32,706 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3372_4883688073222714382019
2019-08-13 23:02:32,706 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,706 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:32,706 [root] INFO: Notified of termination of process with pid 1592.
2019-08-13 23:02:32,706 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:32,706 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,706 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:02:32,706 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:32,721 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp" does not exist, skip.
2019-08-13 23:02:32,721 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,721 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FFEE0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:32,721 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:32,736 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3856
2019-08-13 23:02:32,753 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3468_20362670263222714382019
2019-08-13 23:02:32,753 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:32,767 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:32,767 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,767 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:32,767 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:32,767 [root] INFO: Notified of termination of process with pid 3372.
2019-08-13 23:02:32,767 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,783 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:32,783 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3992
2019-08-13 23:02:32,783 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:32,799 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:32,799 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,831 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:32,831 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:32,845 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp" does not exist, skip.
2019-08-13 23:02:32,845 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:32,845 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:32,845 [root] INFO: Notified of termination of process with pid 3688.
2019-08-13 23:02:32,845 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,845 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:32,845 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3724
2019-08-13 23:02:32,845 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:32,845 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:32,878 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:32,878 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000000F6000-0x0000000000100000
2019-08-13 23:02:32,892 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:32,908 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:32,908 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:32,908 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:32,908 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:32,924 [root] INFO: Added new process to list with pid: 3856
2019-08-13 23:02:32,924 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:32,924 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:32,924 [root] INFO: Monitor successfully loaded in process with pid 3856.
2019-08-13 23:02:32,924 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:32,940 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:32,956 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:32,970 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:33,017 [root] DEBUG: GetHookCallerBase: thread 3860 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:33,049 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:33,049 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000000A4000-0x00000000001A0000
2019-08-13 23:02:33,049 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3252
2019-08-13 23:02:33,049 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:33,079 [root] DEBUG: Loader: Injecting process 3724 (thread 3800) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,079 [root] INFO: Added new process to list with pid: 3992
2019-08-13 23:02:33,079 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:33,079 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:33,079 [root] INFO: Monitor successfully loaded in process with pid 3992.
2019-08-13 23:02:33,079 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:33,079 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:33,095 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:33,095 [root] DEBUG: GetHookCallerBase: thread 3996 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:33,095 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,095 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:33,095 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:33,095 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:33,095 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:33,111 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:33,111 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:33,111 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:33,111 [root] DEBUG: Loader: Injecting process 3252 (thread 3256) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,111 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:33,111 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:33,111 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:33,127 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:33,127 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3856_16634641283322714382019
2019-08-13 23:02:33,127 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,127 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,142 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:33,142 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3724
2019-08-13 23:02:33,142 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:33,142 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:33,142 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:33,157 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:33,157 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:33,157 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3992_18915841263322714382019
2019-08-13 23:02:33,157 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:33,157 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:33,157 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:33,157 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:33,157 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:33,174 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,174 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:33,174 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:33,174 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:33,190 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:33,190 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3252
2019-08-13 23:02:33,190 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:33,190 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:33,204 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:33,204 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:33,204 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:33,204 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:33,204 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000195000-0x00000000001A0000
2019-08-13 23:02:33,220 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:33,220 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3228
2019-08-13 23:02:33,220 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:33,220 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WNC9NAZT2MQKDK5UP6U5.temp'
2019-08-13 23:02:33,220 [root] INFO: Added new process to list with pid: 3724
2019-08-13 23:02:33,220 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:33,220 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:33,236 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:33,236 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:33,236 [root] INFO: Monitor successfully loaded in process with pid 3724.
2019-08-13 23:02:33,236 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WNC9NAZT2MQKDK5UP6U5.temp'
2019-08-13 23:02:33,236 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:33,236 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:33,236 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:33,236 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:33,236 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:33,252 [root] DEBUG: GetHookCallerBase: thread 3800 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:33,252 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:33,252 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:33,252 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:33,252 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:33,267 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:33,267 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WNC9NAZT2MQKDK5UP6U5.temp'
2019-08-13 23:02:33,267 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:33,267 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000000A4000-0x00000000001A0000
2019-08-13 23:02:33,267 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:33,267 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:33,267 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3364
2019-08-13 23:02:33,267 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP'
2019-08-13 23:02:33,282 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:33,282 [root] INFO: Added new process to list with pid: 3252
2019-08-13 23:02:33,282 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:33,282 [root] DEBUG: Loader: Injecting process 3228 (thread 3220) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,282 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:33,299 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:33,299 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:33,299 [root] INFO: Monitor successfully loaded in process with pid 3252.
2019-08-13 23:02:33,299 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:33,299 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:33,299 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp" does not exist, skip.
2019-08-13 23:02:33,299 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:33,299 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:33,299 [root] DEBUG: GetHookCallerBase: thread 3256 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:33,313 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,313 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:33,313 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:33,329 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:33,329 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:33,329 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp" does not exist, skip.
2019-08-13 23:02:33,329 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:33,329 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:33,345 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:33,345 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:33,345 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3724_4337049383322714382019
2019-08-13 23:02:33,345 [root] DEBUG: Loader: Injecting process 3364 (thread 3780) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,345 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:33,345 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:33,345 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:33,361 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:33,361 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:33,391 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,391 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:33,407 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:33,407 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:33,407 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3228
2019-08-13 23:02:33,424 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,424 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:33,470 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:33,486 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:33,486 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:33,486 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:33,486 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:33,502 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3252_16120054273322714382019
2019-08-13 23:02:33,502 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:33,502 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:33,502 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:33,516 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:33,516 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:33,516 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:33,532 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JR8QMLI8XYDQ7O1Z3YED.temp'
2019-08-13 23:02:33,548 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:33,548 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:33,563 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:33,563 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JR8QMLI8XYDQ7O1Z3YED.temp'
2019-08-13 23:02:33,563 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:33,563 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,579 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:33,579 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4TIPC8XEIBF2PM7T0KC1.temp'
2019-08-13 23:02:33,595 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:33,595 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:33,595 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000001A5000-0x00000000001B0000
2019-08-13 23:02:33,595 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3364
2019-08-13 23:02:33,595 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:33,611 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:33,611 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4TIPC8XEIBF2PM7T0KC1.temp'
2019-08-13 23:02:33,625 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JR8QMLI8XYDQ7O1Z3YED.temp'
2019-08-13 23:02:33,625 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3312
2019-08-13 23:02:33,625 [root] INFO: Added new process to list with pid: 3228
2019-08-13 23:02:33,625 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:33,625 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:33,625 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:33,625 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:33,625 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP'
2019-08-13 23:02:33,641 [root] INFO: Monitor successfully loaded in process with pid 3228.
2019-08-13 23:02:33,641 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:33,641 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:33,641 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:33,641 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:33,641 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:33,641 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4TIPC8XEIBF2PM7T0KC1.temp'
2019-08-13 23:02:33,657 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:33,657 [root] DEBUG: GetHookCallerBase: thread 3220 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:33,657 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:33,657 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:33,688 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:33,688 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:33,688 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP'
2019-08-13 23:02:33,688 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp" does not exist, skip.
2019-08-13 23:02:33,703 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:33,703 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:33,703 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:33,703 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:33,703 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:33,720 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:33,720 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:33,720 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:33,720 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:33,720 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:33,736 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:33,736 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp" does not exist, skip.
2019-08-13 23:02:33,736 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:33,736 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:33,736 [root] DEBUG: Loader: Injecting process 3312 (thread 3796) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,750 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:33,750 [root] INFO: Announced 64-bit process name: cmd.exe pid: 4052
2019-08-13 23:02:33,750 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:02:33,766 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp" does not exist, skip.
2019-08-13 23:02:33,766 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:33,766 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:33,766 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:33,766 [root] INFO: Added new process to list with pid: 3364
2019-08-13 23:02:33,782 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:33,782 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,782 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:33,782 [root] INFO: Monitor successfully loaded in process with pid 3364.
2019-08-13 23:02:33,798 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:33,798 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp" does not exist, skip.
2019-08-13 23:02:33,798 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:33,798 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:33,798 [root] DEBUG: GetHookCallerBase: thread 3780 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:33,798 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3228_4590284093322714382019
2019-08-13 23:02:33,798 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:33,813 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:33,813 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:33,828 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:33,875 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:33,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:33,875 [root] INFO: Process with pid 2332 has terminated
2019-08-13 23:02:33,875 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:33,875 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:33,891 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:33,891 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:33,891 [root] DEBUG: Loader: Injecting process 4052 (thread 2872) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,891 [root] INFO: Process with pid 1592 has terminated
2019-08-13 23:02:33,923 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,937 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:33,937 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:33,937 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:33,937 [root] INFO: Process with pid 2924 has terminated
2019-08-13 23:02:33,953 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3312
2019-08-13 23:02:33,953 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:33,953 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:33,953 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:33,970 [root] INFO: Process with pid 3400 has terminated
2019-08-13 23:02:33,970 [root] INFO: Process with pid 3864 has terminated
2019-08-13 23:02:33,970 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:33,970 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:33,970 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:33,984 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:33,984 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:34,000 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:34,000 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:34,000 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3364_18014034443322714382019
2019-08-13 23:02:34,016 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:34,032 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:34,032 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,032 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:34,032 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:34,048 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:34,048 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4052
2019-08-13 23:02:34,062 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:34,078 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000000B6000-0x00000000000C0000
2019-08-13 23:02:34,078 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:34,094 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:34,094 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:34,094 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:34,094 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:34,094 [root] INFO: Added new process to list with pid: 3312
2019-08-13 23:02:34,094 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3460
2019-08-13 23:02:34,094 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:34,141 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:34,141 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:34,141 [root] INFO: Monitor successfully loaded in process with pid 3312.
2019-08-13 23:02:34,141 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:34,141 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:34,157 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:34,157 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:34,171 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:34,171 [root] DEBUG: GetHookCallerBase: thread 3796 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:34,171 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:34,171 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:34,171 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:34,171 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:34,187 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:34,187 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:34,187 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:34,187 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:34,187 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:34,187 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:34,187 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:34,187 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:34,203 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:34,203 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:02:34,203 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3684
2019-08-13 23:02:34,250 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:34,250 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:34,250 [root] INFO: Added new process to list with pid: 4052
2019-08-13 23:02:34,250 [root] DEBUG: Loader: Injecting process 3460 (thread 2740) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,250 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:34,250 [root] INFO: Monitor successfully loaded in process with pid 4052.
2019-08-13 23:02:34,250 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:34,282 [root] DEBUG: GetHookCallerBase: thread 2872 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:34,282 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:34,282 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:34,282 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,296 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:34,296 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:34,296 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:34,296 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:34,296 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:34,296 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3312_2360624483422714382019
2019-08-13 23:02:34,296 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:34,296 [root] INFO: Notified of termination of process with pid 544.
2019-08-13 23:02:34,296 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:34,312 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:34,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:34,312 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:34,312 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:34,312 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:34,312 [root] DEBUG: Loader: Injecting process 3684 (thread 2288) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,312 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:34,328 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:34,328 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,328 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:34,328 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3460
2019-08-13 23:02:34,344 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:34,359 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,359 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:34,359 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:34,359 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:34,359 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:34,375 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:34,375 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\4052_20431863843422714382019
2019-08-13 23:02:34,375 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:34,375 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:34,375 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:34,391 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:34,391 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:34,391 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:34,391 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,391 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:34,391 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:34,405 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3684
2019-08-13 23:02:34,405 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:34,405 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:34,421 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:34,421 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:34,421 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:34,421 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000145000-0x0000000000150000
2019-08-13 23:02:34,453 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:34,453 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:34,453 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2940
2019-08-13 23:02:34,453 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:34,453 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:34,469 [root] INFO: Added new process to list with pid: 3460
2019-08-13 23:02:34,469 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:34,483 [root] INFO: Monitor successfully loaded in process with pid 3460.
2019-08-13 23:02:34,483 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:34,483 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:34,483 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:34,483 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:34,516 [root] DEBUG: GetHookCallerBase: thread 2740 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:34,516 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:34,516 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:34,516 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:34,516 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:34,546 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:34,578 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:34,578 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:34,578 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:34,578 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:34,594 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001E4000-0x00000000002E0000
2019-08-13 23:02:34,594 [root] INFO: Announced 64-bit process name: cmd.exe pid: 4060
2019-08-13 23:02:34,594 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:34,594 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:34,594 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:34,594 [root] INFO: Added new process to list with pid: 3684
2019-08-13 23:02:34,625 [root] INFO: Monitor successfully loaded in process with pid 3684.
2019-08-13 23:02:34,625 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:34,625 [root] DEBUG: Loader: Injecting process 2940 (thread 3628) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,625 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:34,625 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:34,625 [root] DEBUG: GetHookCallerBase: thread 2288 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:34,625 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:34,625 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:34,640 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:34,640 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:34,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,640 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:34,655 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:34,655 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:34,655 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:34,655 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3460_4200807013422714382019
2019-08-13 23:02:34,655 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:34,671 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:34,671 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:34,671 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:34,671 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:34,687 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:34,687 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3684_6548935043422714382019
2019-08-13 23:02:34,703 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:34,703 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:34,812 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2940
2019-08-13 23:02:34,812 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:34,812 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:34,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:34,999 [root] INFO: Process with pid 544 has terminated
2019-08-13 23:02:35,029 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:35,279 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:35,311 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:35,561 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:35,608 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:35,622 [root] INFO: Process with pid 1788 has terminated
2019-08-13 23:02:35,622 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:35,622 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:35,622 [root] DEBUG: Loader: Injecting process 4060 (thread 164) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:35,654 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4088
2019-08-13 23:02:35,670 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:35,686 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:35,686 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:35,700 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:35,700 [root] INFO: Process with pid 3688 has terminated
2019-08-13 23:02:35,700 [root] INFO: Notified of termination of process with pid 972.
2019-08-13 23:02:35,700 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:35,700 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:35,747 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:35,747 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:35,763 [root] INFO: Process with pid 3372 has terminated
2019-08-13 23:02:35,763 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:35,763 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:35,779 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:35,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:35,779 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:35,779 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:35,779 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:35,795 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:35,795 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:35,795 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:35,809 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000001E6000-0x00000000001F0000
2019-08-13 23:02:35,825 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:35,825 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:35,825 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:35,825 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:35,825 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:35,825 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:35,904 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:35,904 [root] INFO: Added new process to list with pid: 2940
2019-08-13 23:02:35,920 [root] DEBUG: Loader: Injecting process 4088 (thread 3560) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:35,920 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:35,920 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:35,920 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:35,920 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:35,934 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:35,934 [root] INFO: Monitor successfully loaded in process with pid 2940.
2019-08-13 23:02:35,934 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\L60QMSWDBQS6FINKPPKD.temp'
2019-08-13 23:02:35,934 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:35,934 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:35,934 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:35,934 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:35,950 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:35,950 [root] DEBUG: GetHookCallerBase: thread 3628 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:35,950 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\L60QMSWDBQS6FINKPPKD.temp'
2019-08-13 23:02:35,950 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:35,982 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:35,982 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4060
2019-08-13 23:02:35,982 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:35,997 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:35,997 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:35,997 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:35,997 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:36,013 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:36,013 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:36,013 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:36,013 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:36,013 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\L60QMSWDBQS6FINKPPKD.temp'
2019-08-13 23:02:36,013 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:36,013 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:36,043 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:36,043 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:36,043 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:36,043 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:36,059 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:36,059 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP'
2019-08-13 23:02:36,059 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:36,059 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:36,059 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:36,059 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:36,059 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:36,075 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,075 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:36,075 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:36,091 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:36,091 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4088
2019-08-13 23:02:36,091 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:36,107 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000144000-0x0000000000240000
2019-08-13 23:02:36,107 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp" does not exist, skip.
2019-08-13 23:02:36,121 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:36,121 [root] INFO: Announced 64-bit process name: cmd.exe pid: 4704
2019-08-13 23:02:36,121 [root] INFO: Added new process to list with pid: 4060
2019-08-13 23:02:36,138 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\2940_2641455603622714382019
2019-08-13 23:02:36,138 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4UEKC1JSB2PR92YIK60W.temp'
2019-08-13 23:02:36,138 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:36,138 [root] INFO: Monitor successfully loaded in process with pid 4060.
2019-08-13 23:02:36,138 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:36,138 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:36,138 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:36,138 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4UEKC1JSB2PR92YIK60W.temp'
2019-08-13 23:02:36,263 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp" does not exist, skip.
2019-08-13 23:02:36,263 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:36,263 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:36,309 [root] DEBUG: GetHookCallerBase: thread 164 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:36,309 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:36,309 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:36,309 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:36,309 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:36,341 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:36,341 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:36,341 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:36,341 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:36,355 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4UEKC1JSB2PR92YIK60W.temp'
2019-08-13 23:02:36,355 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:36,355 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:36,355 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:36,371 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:36,371 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP'
2019-08-13 23:02:36,371 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000000F5000-0x0000000000100000
2019-08-13 23:02:36,388 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:36,388 [root] DEBUG: Loader: Injecting process 4704 (thread 4708) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,388 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:36,388 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:36,388 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:36,388 [root] INFO: Added new process to list with pid: 4088
2019-08-13 23:02:36,403 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:36,403 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:36,403 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:36,403 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:36,403 [root] INFO: Monitor successfully loaded in process with pid 4088.
2019-08-13 23:02:36,418 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp" does not exist, skip.
2019-08-13 23:02:36,418 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:36,418 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,418 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:36,418 [root] DEBUG: GetHookCallerBase: thread 3560 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:36,434 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:36,434 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:36,434 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:36,434 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:36,450 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\4060_16217716233622714382019
2019-08-13 23:02:36,450 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:36,450 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp" does not exist, skip.
2019-08-13 23:02:36,450 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:36,466 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:36,466 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:36,466 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:36,466 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:36,466 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:36,466 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:36,480 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:36,480 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:36,480 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:36,480 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:36,496 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:36,496 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,496 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:36,512 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:36,512 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:36,512 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4704
2019-08-13 23:02:36,528 [root] INFO: Announced 64-bit process name: powershell.exe pid: 5036
2019-08-13 23:02:36,528 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:36,543 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:36,543 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:36,543 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:36,559 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:36,559 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:02:36,559 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1VVGAM1OLX1AXXX8KR4X.temp'
2019-08-13 23:02:36,589 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\4088_4950503373622714382019
2019-08-13 23:02:36,589 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:36,605 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:36,605 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:36,605 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:36,605 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:36,605 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1VVGAM1OLX1AXXX8KR4X.temp'
2019-08-13 23:02:36,605 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:36,605 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:36,621 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:36,637 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:02:36,637 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:36,637 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:36,637 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:36,653 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:36,653 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:02:36,653 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:36,653 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\1VVGAM1OLX1AXXX8KR4X.temp'
2019-08-13 23:02:36,667 [root] DEBUG: Loader: Injecting process 5036 (thread 5040) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,667 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x00000000001E4000-0x00000000002E0000
2019-08-13 23:02:36,667 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:36,684 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP'
2019-08-13 23:02:36,684 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3564
2019-08-13 23:02:36,700 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:36,700 [root] INFO: Added new process to list with pid: 4704
2019-08-13 23:02:36,714 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:36,714 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:36,730 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:36,746 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:36,746 [root] INFO: Monitor successfully loaded in process with pid 4704.
2019-08-13 23:02:36,746 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,746 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:36,762 [root] INFO: Notified of termination of process with pid 1748.
2019-08-13 23:02:36,762 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:36,762 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp" does not exist, skip.
2019-08-13 23:02:36,762 [root] DEBUG: GetHookCallerBase: thread 4708 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:36,762 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:36,762 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:36,778 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:36,778 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:36,778 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:36,778 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:36,778 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:36,792 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:36,792 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:36,792 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:36,823 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp" does not exist, skip.
2019-08-13 23:02:36,823 [root] INFO: Process with pid 1748 has terminated
2019-08-13 23:02:36,823 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:36,823 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:36,839 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:36,839 [root] DEBUG: Loader: Injecting process 3564 (thread 3960) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,855 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:36,855 [root] INFO: Process with pid 972 has terminated
2019-08-13 23:02:36,855 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,871 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:36,871 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:36,871 [root] DEBUG: Process image base: 0x0000000049DC0000
2019-08-13 23:02:36,871 [root] INFO: Process with pid 2708 has terminated
2019-08-13 23:02:36,871 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 5036
2019-08-13 23:02:36,871 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:36,887 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:36,887 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:36,901 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,901 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:36,917 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:36,917 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:36,934 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049E19000 - 0x0000000077110000
2019-08-13 23:02:36,934 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:36,934 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:36,934 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:36,948 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049E20000.
2019-08-13 23:02:36,948 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:36,964 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\4704_5674118223622714382019
2019-08-13 23:02:36,964 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:36,964 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:36,980 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:36,980 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:36,980 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:36,980 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:36,980 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:36,996 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:37,012 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3564
2019-08-13 23:02:37,012 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 23:02:37,042 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:37,058 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:02:37,058 [root] INFO: Added new process to list with pid: 5036
2019-08-13 23:02:37,058 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:37,058 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4508
2019-08-13 23:02:37,073 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:02:37,073 [root] INFO: Monitor successfully loaded in process with pid 5036.
2019-08-13 23:02:37,089 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:37,089 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:02:37,089 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:37,089 [root] DEBUG: GetHookCallerBase: thread 5040 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:37,089 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:37,105 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:37,105 [root] INFO: Announced 64-bit process name: svchost.exe pid: 4696
2019-08-13 23:02:37,105 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:37,105 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:37,121 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:37,121 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:37,121 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:37,121 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:37,135 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:37,135 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:37,151 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x0000000049DC0000, stack from 0x0000000000064000-0x0000000000160000
2019-08-13 23:02:37,151 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:37,151 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:37,151 [root] DEBUG: Loader: Injecting process 4508 (thread 4620) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,151 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:37,167 [root] INFO: Added new process to list with pid: 3564
2019-08-13 23:02:37,167 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:37,167 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:37,167 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\MLPVWM1WVGDU0OV56FY3.temp'
2019-08-13 23:02:37,183 [root] INFO: Monitor successfully loaded in process with pid 3564.
2019-08-13 23:02:37,183 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:37,183 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,198 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\MLPVWM1WVGDU0OV56FY3.temp'
2019-08-13 23:02:37,198 [root] DEBUG: GetHookCallerBase: thread 3960 (handle 0x0), return address 0x0000000049DC9099, allocation base 0x0000000049DC0000.
2019-08-13 23:02:37,198 [root] DEBUG: Loader: Injecting process 4696 (thread 4676) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,198 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:37,198 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:37,198 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\5036_9256912643722714382019
2019-08-13 23:02:37,198 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x0000000049DC0000 main_caller_retaddr 0x0000000049DC9099 parent_caller_retaddr 0x0000000049DC98F3.
2019-08-13 23:02:37,213 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 23:02:37,213 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:37,213 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\MLPVWM1WVGDU0OV56FY3.temp'
2019-08-13 23:02:37,213 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:37,230 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049DC0000.
2019-08-13 23:02:37,230 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,230 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:37,230 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP'
2019-08-13 23:02:37,230 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:37,246 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:02:37,246 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-08-13 23:02:37,246 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,260 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:37,260 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:37,260 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:37,260 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:02:37,260 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FFA20000.
2019-08-13 23:02:37,260 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4508
2019-08-13 23:02:37,276 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:37,276 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp" does not exist, skip.
2019-08-13 23:02:37,276 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:37,276 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:37,292 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:37,292 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:37,292 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:37,292 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:37,292 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,308 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:37,308 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:37,308 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\3564_2314880503722714382019
2019-08-13 23:02:37,308 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp" does not exist, skip.
2019-08-13 23:02:37,308 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:37,323 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4696
2019-08-13 23:02:37,323 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:37,323 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:37,323 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:02:37,338 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:37,338 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:37,355 [root] DEBUG: Dump-on-API: Dumped module at 0x0000000049DC0000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:37,355 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:37,355 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:37,355 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:37,369 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:37,369 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:37,369 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:02:37,369 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:37,369 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:37,369 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000195000-0x00000000001A0000
2019-08-13 23:02:37,369 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4112
2019-08-13 23:02:37,385 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:37,385 [root] INFO: Added new process to list with pid: 4508
2019-08-13 23:02:37,385 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:37,401 [root] INFO: Monitor successfully loaded in process with pid 4508.
2019-08-13 23:02:37,401 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:37,401 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:37,401 [root] DEBUG: GetHookCallerBase: thread 4620 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:37,401 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:37,401 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFA10000, stack from 0x00000000001E5000-0x00000000001F0000
2019-08-13 23:02:37,401 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:37,417 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:37,417 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:37,417 [root] INFO: Added new process to list with pid: 4696
2019-08-13 23:02:37,417 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:37,417 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:37,417 [root] INFO: Monitor successfully loaded in process with pid 4696.
2019-08-13 23:02:37,433 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:37,433 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:37,433 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-08-13 23:02:37,447 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:37,447 [root] DEBUG: Loader: Injecting process 4112 (thread 5072) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,463 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-08-13 23:02:37,463 [root] DEBUG: Process image base: 0x000000013F620000
2019-08-13 23:02:37,463 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:37,463 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:02:37,463 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,463 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F697000 - 0x000007FEFF430000
2019-08-13 23:02:37,480 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F6A0000.
2019-08-13 23:02:37,480 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-08-13 23:02:37,480 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:02:37,480 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:37,494 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:37,494 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\4508_10666603683722714382019
2019-08-13 23:02:37,494 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4112
2019-08-13 23:02:37,494 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:37,494 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:37,494 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:37,494 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:37,510 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-08-13 23:02:37,510 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:37,510 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:37,510 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:37,510 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-08-13 23:02:37,510 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:37,526 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:37,526 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:37,526 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:37,526 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F620000, stack from 0x0000000000216000-0x0000000000220000
2019-08-13 23:02:37,558 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:37,558 [root] INFO: Added new process to list with pid: 4112
2019-08-13 23:02:37,558 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:02:37,558 [root] INFO: Monitor successfully loaded in process with pid 4112.
2019-08-13 23:02:37,558 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:37,572 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:02:37,572 [root] DEBUG: GetHookCallerBase: thread 5072 (handle 0x0), return address 0x000000013F62C7D9, allocation base 0x000000013F620000.
2019-08-13 23:02:37,572 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:37,572 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F620000 main_caller_retaddr 0x000000013F62C7D9 parent_caller_retaddr 0x000000013F62C453.
2019-08-13 23:02:37,572 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:37,572 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F620000.
2019-08-13 23:02:37,588 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:37,604 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:02:37,604 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:02:37,604 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:37,604 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:02:37,604 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-08-13 23:02:37,604 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:37,619 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-08-13 23:02:37,651 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:37,651 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:37,667 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:37,667 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:37,667 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-08-13 23:02:37,667 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\4112_14170458883722714382019
2019-08-13 23:02:37,681 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:02:37,681 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F620000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:02:37,681 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:37,681 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:02:37,697 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:37,729 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:37,729 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:37,729 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:02:37,729 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:37,744 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:37,744 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:02:37,744 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:37,759 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:37,759 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:02:37,759 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:37,792 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:02:37,806 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:02:37,822 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:37,838 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:02:37,869 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:02:37,869 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:37,901 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:02:37,901 [root] INFO: Notified of termination of process with pid 2764.
2019-08-13 23:02:37,915 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:02:37,915 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:02:37,915 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:02:37,979 [root] INFO: Process with pid 2764 has terminated
2019-08-13 23:02:37,979 [root] INFO: Process with pid 3052 has terminated
2019-08-13 23:02:37,993 [root] INFO: Process with pid 1080 has terminated
2019-08-13 23:02:38,026 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:38,056 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:38,072 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:38,134 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:38,150 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:38,243 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:38,243 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:38,275 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:02:38,275 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:38,275 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:38,305 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\BHYF6GGTMB8Z5R1SWHOE.temp'
2019-08-13 23:02:38,305 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:02:38,322 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\BHYF6GGTMB8Z5R1SWHOE.temp'
2019-08-13 23:02:38,322 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\K56G7Z35HVS6JP1XYE1T.temp'
2019-08-13 23:02:38,322 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:02:38,322 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:38,322 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\K56G7Z35HVS6JP1XYE1T.temp'
2019-08-13 23:02:38,338 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:02:38,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\BHYF6GGTMB8Z5R1SWHOE.temp'
2019-08-13 23:02:38,338 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:38,338 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:02:38,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP'
2019-08-13 23:02:38,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\K56G7Z35HVS6JP1XYE1T.temp'
2019-08-13 23:02:38,352 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:38,352 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP'
2019-08-13 23:02:38,352 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp" does not exist, skip.
2019-08-13 23:02:38,368 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:38,368 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:38,384 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp" does not exist, skip.
2019-08-13 23:02:38,384 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp" does not exist, skip.
2019-08-13 23:02:38,384 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:38,384 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:38,400 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp" does not exist, skip.
2019-08-13 23:02:38,400 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:38,415 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:38,415 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:02:38,415 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:38,415 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:02:38,461 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 23:02:38,461 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:38,477 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 23:02:38,477 [root] INFO: Notified of termination of process with pid 4060.
2019-08-13 23:02:38,477 [root] INFO: Stopped Task Scheduler Service
2019-08-13 23:02:38,493 [root] DEBUG: DLL unloaded from 0x74870000.
2019-08-13 23:02:38,493 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\AB551YI3XM14P1U2I8OA.temp'
2019-08-13 23:02:38,493 [root] INFO: Notified of termination of process with pid 3568.
2019-08-13 23:02:38,509 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\AB551YI3XM14P1U2I8OA.temp'
2019-08-13 23:02:38,509 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:02:38,509 [root] INFO: Started Task Scheduler Service
2019-08-13 23:02:38,525 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\AB551YI3XM14P1U2I8OA.temp'
2019-08-13 23:02:38,539 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP'
2019-08-13 23:02:38,539 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:02:38,555 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:02:38,555 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:02:38,572 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:02:38,572 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp" does not exist, skip.
2019-08-13 23:02:38,586 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:02:38,602 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:02:38,602 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:38,602 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp" does not exist, skip.
2019-08-13 23:02:38,618 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 23:02:38,618 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:02:38,618 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:02:38,634 [root] DEBUG: DLL loaded at 0x00000000740D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:02:38,634 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:02:38,634 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:02:38,650 [root] INFO: Disabling sleep skipping.
2019-08-13 23:02:38,696 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFA10000, stack from 0x0000000002E46000-0x0000000002E50000
2019-08-13 23:02:38,696 [root] INFO: Added new process to list with pid: 816
2019-08-13 23:02:38,696 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-08-13 23:02:38,711 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:02:38,711 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:02:38,727 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:02:38,851 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:38,851 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:38,851 [root] INFO: Notified of termination of process with pid 2104.
2019-08-13 23:02:39,132 [root] INFO: Process with pid 2104 has terminated
2019-08-13 23:02:39,132 [root] INFO: Process with pid 2128 has terminated
2019-08-13 23:02:39,132 [root] INFO: Process with pid 3568 has terminated
2019-08-13 23:02:39,148 [root] INFO: Process with pid 4060 has terminated
2019-08-13 23:02:39,148 [root] INFO: Process with pid 5036 has terminated
2019-08-13 23:02:39,881 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:39,881 [root] INFO: Notified of termination of process with pid 880.
2019-08-13 23:02:40,177 [root] INFO: Process with pid 880 has terminated
2019-08-13 23:02:40,740 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:02:40,740 [root] DEBUG: DLL loaded at 0x000007FEFB140000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-08-13 23:02:40,990 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:41,207 [root] INFO: Process with pid 2216 has terminated
2019-08-13 23:02:42,035 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:42,035 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:42,049 [root] INFO: Notified of termination of process with pid 3564.
2019-08-13 23:02:42,253 [root] INFO: Process with pid 3564 has terminated
2019-08-13 23:02:42,253 [root] INFO: Process with pid 4112 has terminated
2019-08-13 23:02:42,970 [root] DEBUG: DLL unloaded from 0x000007FEFB140000.
2019-08-13 23:02:42,986 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:42,986 [root] INFO: Notified of termination of process with pid 4696.
2019-08-13 23:02:43,079 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:43,079 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:43,079 [root] INFO: Notified of termination of process with pid 4704.
2019-08-13 23:02:43,298 [root] INFO: Process with pid 4704 has terminated
2019-08-13 23:02:43,298 [root] INFO: Process with pid 4696 has terminated
2019-08-13 23:02:44,094 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:44,109 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:44,109 [root] INFO: Notified of termination of process with pid 3684.
2019-08-13 23:02:44,328 [root] INFO: Process with pid 3684 has terminated
2019-08-13 23:02:44,328 [root] INFO: Process with pid 4088 has terminated
2019-08-13 23:02:45,138 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:45,138 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:45,138 [root] INFO: Notified of termination of process with pid 4052.
2019-08-13 23:02:45,358 [root] INFO: Process with pid 4052 has terminated
2019-08-13 23:02:45,358 [root] INFO: Process with pid 2940 has terminated
2019-08-13 23:02:46,153 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:46,168 [root] INFO: Notified of termination of process with pid 3364.
2019-08-13 23:02:46,168 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:46,387 [root] INFO: Process with pid 3364 has terminated
2019-08-13 23:02:46,403 [root] INFO: Process with pid 3460 has terminated
2019-08-13 23:02:47,230 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:47,244 [root] INFO: Notified of termination of process with pid 3252.
2019-08-13 23:02:47,244 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:47,417 [root] INFO: Process with pid 3252 has terminated
2019-08-13 23:02:47,431 [root] INFO: Process with pid 3312 has terminated
2019-08-13 23:02:48,275 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:48,289 [root] INFO: Notified of termination of process with pid 3900.
2019-08-13 23:02:48,289 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:48,446 [root] INFO: Process with pid 3900 has terminated
2019-08-13 23:02:48,461 [root] INFO: Process with pid 3856 has terminated
2019-08-13 23:02:48,461 [root] INFO: Process with pid 4508 has terminated
2019-08-13 23:02:49,335 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:49,335 [root] INFO: Notified of termination of process with pid 3468.
2019-08-13 23:02:49,351 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:49,492 [root] INFO: Process with pid 3468 has terminated
2019-08-13 23:02:49,492 [root] INFO: Process with pid 3724 has terminated
2019-08-13 23:02:50,365 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:50,381 [root] INFO: Notified of termination of process with pid 3992.
2019-08-13 23:02:50,381 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:50,520 [root] INFO: Process with pid 3992 has terminated
2019-08-13 23:02:51,410 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:51,426 [root] INFO: Notified of termination of process with pid 3096.
2019-08-13 23:02:51,426 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:51,535 [root] INFO: Process with pid 3096 has terminated
2019-08-13 23:02:51,535 [root] INFO: Process with pid 3840 has terminated
2019-08-13 23:02:52,470 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:52,470 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:02:52,470 [root] INFO: Notified of termination of process with pid 3036.
2019-08-13 23:02:52,565 [root] INFO: Process with pid 3036 has terminated
2019-08-13 23:02:52,565 [root] INFO: Process with pid 1940 has terminated
2019-08-13 23:02:52,579 [root] INFO: Process with pid 3228 has terminated
2019-08-13 23:02:53,516 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:02:53,532 [root] INFO: Notified of termination of process with pid 2076.
2019-08-13 23:02:53,594 [root] INFO: Process with pid 2076 has terminated
2019-08-13 23:02:54,608 [root] INFO: Process with pid 3408 has terminated
2019-08-13 23:03:25,542 [root] DEBUG: DLL unloaded from 0x000007FEF45C0000.
2019-08-13 23:03:25,589 [root] DEBUG: DLL unloaded from 0x000007FEF9950000.
2019-08-13 23:03:27,571 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 23:03:27,634 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-08-13 23:03:30,161 [root] DEBUG: DLL unloaded from 0x000007FEF9B80000.
2019-08-13 23:03:32,687 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-08-13 23:03:32,687 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-08-13 23:03:32,891 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 23:03:32,905 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-08-13 23:03:32,905 [root] DEBUG: DLL unloaded from 0x000007FEF4E10000.
2019-08-13 23:03:32,921 [root] DEBUG: DLL unloaded from 0x000007FEF94D0000.
2019-08-13 23:03:32,937 [root] DEBUG: DLL unloaded from 0x000007FEF8070000.
2019-08-13 23:03:32,953 [root] DEBUG: DLL unloaded from 0x000007FEFA1C0000.
2019-08-13 23:03:35,262 [root] INFO: Stopped WMI Service
2019-08-13 23:03:35,278 [root] INFO: Attaching to DcomLaunch service (pid 564)
2019-08-13 23:03:35,292 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:03:35,292 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:03:35,309 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:03:35,323 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:03:35,323 [root] DEBUG: Loader: Injecting process 564 (thread 0) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:35,339 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 568, handle 0x84
2019-08-13 23:03:35,355 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 23:03:35,371 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-08-13 23:03:35,371 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-08-13 23:03:35,387 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:03:35,401 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:03:35,401 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:03:35,417 [root] INFO: Disabling sleep skipping.
2019-08-13 23:03:35,434 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFA10000, stack from 0x0000000001EC6000-0x0000000001ED0000
2019-08-13 23:03:35,448 [root] INFO: Added new process to list with pid: 564
2019-08-13 23:03:35,464 [root] INFO: Monitor successfully loaded in process with pid 564.
2019-08-13 23:03:35,464 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:03:35,480 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:03:35,480 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:39,598 [root] INFO: Started WMI Service
2019-08-13 23:03:39,598 [root] INFO: Attaching to WMI service (pid 4100)
2019-08-13 23:03:39,630 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:03:39,630 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:03:39,630 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:03:39,645 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:03:39,661 [root] DEBUG: Loader: Injecting process 4100 (thread 0) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:39,677 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 23:03:39,691 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:03:39,691 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:03:39,707 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:03:39,723 [root] INFO: Disabling sleep skipping.
2019-08-13 23:03:39,739 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFA10000, stack from 0x0000000000D86000-0x0000000000D90000
2019-08-13 23:03:39,755 [root] INFO: Added new process to list with pid: 4100
2019-08-13 23:03:39,755 [root] INFO: Monitor successfully loaded in process with pid 4100.
2019-08-13 23:03:39,769 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:03:39,769 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:03:39,786 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:41,907 [root] DEBUG: DLL loaded at 0x000007FEF9E80000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-08-13 23:03:41,907 [root] DEBUG: DLL loaded at 0x000007FEFB270000: C:\Windows\system32\ATL (0x19000 bytes).
2019-08-13 23:03:41,923 [root] DEBUG: DLL loaded at 0x000007FEF9E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-08-13 23:03:41,938 [root] DEBUG: DLL loaded at 0x000007FEFA870000: C:\Windows\system32\samcli (0x14000 bytes).
2019-08-13 23:03:41,953 [root] DEBUG: DLL loaded at 0x000007FEFB820000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-08-13 23:03:41,970 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:03:41,986 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-08-13 23:03:42,000 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-08-13 23:03:42,032 [root] DEBUG: DLL loaded at 0x000007FEF9540000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-08-13 23:03:42,048 [root] DEBUG: DLL loaded at 0x000007FEF94D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-08-13 23:03:42,063 [root] DEBUG: DLL loaded at 0x000007FEF9A00000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-08-13 23:03:42,078 [root] DEBUG: DLL loaded at 0x000007FEF9980000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-08-13 23:03:42,095 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 23:03:42,095 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-08-13 23:03:42,109 [root] DEBUG: DLL loaded at 0x000007FEFCAC0000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-08-13 23:03:42,141 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-08-13 23:03:42,157 [root] DEBUG: DLL loaded at 0x000007FEF90B0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-08-13 23:03:42,173 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-08-13 23:03:42,187 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-08-13 23:03:42,203 [root] DEBUG: DLL unloaded from 0x000007FEFCB00000.
2019-08-13 23:03:42,562 [root] DEBUG: DLL loaded at 0x000007FEF80F0000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-08-13 23:03:42,562 [root] DEBUG: DLL loaded at 0x000007FEFA0C0000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-08-13 23:03:42,609 [root] DEBUG: DLL loaded at 0x000007FEF7400000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-08-13 23:03:42,703 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:03:43,124 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 224
2019-08-13 23:03:43,140 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:03:43,155 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:03:43,155 [root] DEBUG: DLL loaded at 0x000007FEFA1E0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-08-13 23:03:43,155 [lib.api.process] INFO: 64-bit DLL to inject is C:\mzxkdbjufe\dll\dykCyQSo.dll, loader C:\mzxkdbjufe\bin\NqaEEVzS.exe
2019-08-13 23:03:43,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NeBzMRwkB.
2019-08-13 23:03:43,279 [root] DEBUG: Loader: Injecting process 224 (thread 2880) with C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:43,296 [root] DEBUG: Process image base: 0x00000000FFE00000
2019-08-13 23:03:43,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:43,342 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFE5F000 - 0x000007FEFF430000
2019-08-13 23:03:43,358 [root] DEBUG: InjectDllViaIAT: Allocated 0x238 bytes for new import table at 0x00000000FFE60000.
2019-08-13 23:03:43,390 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:03:43,390 [root] DEBUG: Successfully injected DLL C:\mzxkdbjufe\dll\dykCyQSo.dll.
2019-08-13 23:03:43,404 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 224
2019-08-13 23:03:43,467 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:03:43,467 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:03:43,483 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:03:43,529 [root] INFO: Disabling sleep skipping.
2019-08-13 23:03:43,546 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFE00000, stack from 0x00000000001E0000-0x00000000001F0000
2019-08-13 23:03:43,576 [root] INFO: Added new process to list with pid: 224
2019-08-13 23:03:43,592 [root] INFO: Monitor successfully loaded in process with pid 224.
2019-08-13 23:03:43,592 [root] DEBUG: GetHookCallerBase: thread 2880 (handle 0x0), return address 0x00000000FFE0A7C1, allocation base 0x00000000FFE00000.
2019-08-13 23:03:43,638 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFE00000 main_caller_retaddr 0x00000000FFE0A7C1 parent_caller_retaddr 0x00000000FFE0A6ED.
2019-08-13 23:03:43,638 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFE00000.
2019-08-13 23:03:43,654 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000A9B4.
2019-08-13 23:03:43,686 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:03:43,747 [root] INFO: Added new CAPE file to list with path: C:\mzxkdbjufe\CAPE\224_2629517504323714382019
2019-08-13 23:03:43,763 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5b000.
2019-08-13 23:03:43,779 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FFE00000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:03:43,811 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:03:43,858 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:03:43,920 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:03:43,950 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-08-13 23:03:43,982 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:03:43,997 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:03:44,013 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-08-13 23:03:44,138 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-08-13 23:03:44,200 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-08-13 23:03:44,371 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-08-13 23:03:44,839 [root] DEBUG: DLL loaded at 0x000007FEF9BA0000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2019-08-13 23:04:14,309 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:05:12,700 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-08-13 23:05:13,605 [root] ERROR: Traceback (most recent call last):
  File "C:\mzxkdbjufe\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\mzxkdbjufe\lib\core\log.py", line 61, in handle_logs
    data += buf.raw[:bytes_read.value]
MemoryError
Traceback (most recent call last):
  File "C:\mzxkdbjufe\lib\core\log.py", line 79, in run
    self.handle_logs()
  File "C:\mzxkdbjufe\lib\core\log.py", line 61, in handle_logs
    data += buf.raw[:bytes_read.value]
MemoryError
2019-08-13 23:05:52,183 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 23:05:52,198 [root] INFO: Created shutdown mutex.
2019-08-13 23:05:53,213 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 224
2019-08-13 23:05:53,213 [root] INFO: Terminate event set for process 224.
2019-08-13 23:05:53,229 [root] INFO: Terminating process 224 before shutdown.
2019-08-13 23:05:53,229 [root] INFO: Waiting for process 224 to exit.
2019-08-13 23:05:54,257 [root] INFO: Waiting for process 224 to exit.
2019-08-13 23:05:55,272 [root] INFO: Waiting for process 224 to exit.
2019-08-13 23:05:56,286 [root] INFO: Waiting for process 224 to exit.
2019-08-13 23:05:57,315 [lib.api.process] INFO: Successfully terminated process with pid 224.
2019-08-13 23:05:57,315 [root] INFO: Waiting for process 224 to exit.
2019-08-13 23:05:58,345 [root] INFO: Shutting down package.
2019-08-13 23:05:58,345 [root] INFO: Stopping auxiliary modules.
2019-08-13 23:05:58,391 [root] INFO: Finishing auxiliary modules.
2019-08-13 23:05:58,391 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 23:05:58,407 [root] WARNING: File at path "C:\TJNCea\debugger" does not exist, skip.
2019-08-13 23:05:58,423 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-08-13 22:02:24 2019-08-13 22:06:15

File Details

File Name b2adfc902ef49583b590da412ebc0383e209cb25cb6269b12d698b4666ddcf2c
File Size 677142 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f0d2bd6573e2592113275065183a68cf
SHA1 2e8945a096b5582594591f3a2696e74ba0466db1
SHA256 b2adfc902ef49583b590da412ebc0383e209cb25cb6269b12d698b4666ddcf2c
SHA512 847b577eaae4ae541f856b088ccb81f90ed51b1f63147f9aaf038ce37d66a2f84e4228b8ad807737f259f32a14e52b7278c1bdf71ec45a9326e7be3d8109a4ce
CRC32 48BA3166
Ssdeep 12288:pSuiDKCiuef5J23iBm5pw4IZu54oFBsM0Nb:pSFriuexUJjoZGeM0Nb
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JOMS269GXXH1EF7U7NE.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Possible date expiration check, exits too soon after checking local time
process: cmd.exe, PID 1308
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONNREAIAAIAW0QFTI4DN.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHEYL2MXKD5V0WYEDJCI.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U4XGHTIMFS7AQH9HMEHF.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20HA78JLL7QMTVQGVBJ4.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP
DeletedFile: C:\Windows\Tasks\SpeedLan.job
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPT32.dll/CryptProtectData
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: pcwum.dll/PerfDeleteInstance
DynamicLoader: pcwum.dll/PerfStopProvider
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/WmiCloseBlock
DynamicLoader: PROPSYS.dll/PropVariantToVariant
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: wbemcore.dll/Shutdown
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ADVAPI32.dll/RegDeleteKeyExW
DynamicLoader: kernel32.dll/RegDeleteValueW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/IsThreadAFiber
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: FastProx.dll/DllGetClassObject
DynamicLoader: FastProx.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetCallContext
A process created a hidden window
Process: ue4xHo.exe -> C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
Process: ропрУВаЫсено.exe -> cmd.exe
A scripting utility was executed
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: powershell Set-MpPreference -DisableIOAVProtection $true
command: powershell Set-MpPreference -DisablePrivacyMode $true
command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: powershell Set-MpPreference -SevereThreatDefaultAction 6
command: powershell Set-MpPreference -LowThreatDefaultAction 6
command: powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: powershell Set-MpPreference -DisableScriptScanning $true
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: sc stop WinDefend
command: sc delete WinDefend
Attempts to stop active services
servicename: WinDefend
Spoofs its process name and/or associated pathname to appear as a legitimate process
original_path: C:\Windows\system32\svchost.exe
original_name: svchost.exe
modified_name: svchost.exe
modified_path: C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP
Creates a copy of itself
copy: C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
copy: C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
Attempts to disable Windows Defender

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\ue4xHo.exe
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
\??\MountPointManager
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\ProgramData\*
C:\Users\user\AppData\Roaming\syslink
C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\sc.*
C:\Users\user\AppData\Local\Temp\sc
C:\Windows\sysnative\sc.*
C:\Windows\sysnative\sc.COM
C:\Windows\sysnative\sc.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\powershell.*
C:\Users\user\AppData\Local\Temp\powershell
C:\Windows\sysnative\powershell.*
C:\Windows\sysnative\powershell
C:\Windows\powershell.*
C:\Windows\powershell
C:\Windows\sysnative\wbem\powershell.*
C:\Windows\sysnative\wbem\powershell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.COM
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
::\
::\{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
::\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::\{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
::\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\Desktop
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\DosDevices\pipe\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\
C:\Windows\sysnative\windowspowershell\v1.0\powershell_ise.exe
C:\Windows\sysnative\windowspowershell
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\
C:\Windows\hh.exe
C:\Windows\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONNREAIAAIAW0QFTI4DN.temp
C:\Windows\sysnative\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.Local\
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JOMS269GXXH1EF7U7NE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP
C:\Users\user\AppData\Roaming\syslink\sc.*
C:\Users\user\AppData\Roaming\syslink\sc
C:\Users\user\AppData\Roaming\syslink\powershell.*
C:\Users\user\AppData\Roaming\syslink\powershell
C:\Users\user\AppData\Roaming\syslink\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHEYL2MXKD5V0WYEDJCI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U4XGHTIMFS7AQH9HMEHF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20HA78JLL7QMTVQGVBJ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP
C:\Users\user\AppData\Roaming\syslink\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\Microsoft
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform
C:\Windows\sysnative\Tasks\WPD
C:\Windows\sysnative\Tasks\Microsoft\*
C:\Windows\sysnative\Tasks\Microsoft\Windows
C:\Windows\sysnative\Tasks\Microsoft\Windows Defender
C:\Windows\sysnative\Tasks\Microsoft\Windows\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetworkAccessProtection
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform
C:\Windows\sysnative\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\PolicyConverter
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\AitAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk\Proxy
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\SystemTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis\Scheduled
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location\Notifications
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance\WinSAT
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ehDRMInit
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\InstallPlayReady
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\mcupdate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURActivate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURDiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RecordingRestart
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RegisterSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\Extender
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\Extender\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC\HotStart
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI\LPRemove
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetworkAccessProtection\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Background Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Logon Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA\System
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA\System\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC\RacTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras\MobilityManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry\RegIdleBackup
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControls
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\AutoWake
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\GadgetManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SessionAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SystemDataProviders
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\SyncCenter\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore\SR
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager\Interactive
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict2
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service\HiveUploadTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup\ConfigNotification
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader
C:\Windows\sysnative\Tasks\Microsoft\Windows Defender\*
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\*
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\WPD\*
C:\Windows\Tasks\SpeedLan.job
C:\Windows\sysnative\Tasks\SpeedLan
C:\Windows\sysnative\Tasks\
C:\Windows\SysWOW64\net.exe
C:\Windows\SysWOW64
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\SysWOW64\net1.exe
C:\Windows\Temp\fwtsqmfile00.sqm
C:\Windows\SysWOW64\sc.exe
C:\Windows\SysWOW64\en-US\sc.exe.mui
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository
C:\Windows\sysnative\wbem\Logs
C:\Windows\sysnative\wbem\AutoRecover
C:\Windows\sysnative\wbem\MOF
C:\Windows\sysnative\wbem\repository\INDEX.BTR
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\WBEM9xUpgd.dat
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\wbem\Logs\
\??\WMIDataDevice
C:\Windows\sysnative\advapi32.dll
C:\Windows\sysnative\en-US\advapi32.dll.mui
C:\Windows\sysnative\drivers\acpi.sys
C:\Windows\sysnative\drivers\en-US\ACPI.sys.mui
C:\Windows\sysnative\drivers\ndis.sys
C:\Windows\sysnative\drivers\en-US\ndis.sys.mui
C:\Windows\sysnative\drivers\mssmbios.sys
C:\Windows\sysnative\drivers\en-US\mssmbios.sys.mui
C:\Windows\sysnative\drivers\intelppm.sys
C:\Windows\sysnative\drivers\en-US\intelppm.sys.mui
C:\Windows\sysnative\drivers\hdaudbus.sys
C:\Windows\sysnative\drivers\en-US\HDAudBus.sys.mui
C:\Windows\sysnative\drivers\portcls.sys
C:\Windows\sysnative\drivers\en-US\portcls.SYS.mui
C:\Windows\sysnative\drivers\monitor.sys
C:\Windows\sysnative\drivers\en-US\monitor.sys
C:\Windows\sysnative\drivers\en\monitor.sys
C:\Users\user\AppData\Local\Temp\ue4xHo.exe
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
\??\PIPE\srvsvc
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONNREAIAAIAW0QFTI4DN.temp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JOMS269GXXH1EF7U7NE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp
C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp
C:\Users\user\AppData\Roaming\syslink\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHEYL2MXKD5V0WYEDJCI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U4XGHTIMFS7AQH9HMEHF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20HA78JLL7QMTVQGVBJ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\PolicyConverter
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\AitAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk\Proxy
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\SystemTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis\Scheduled
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location\Notifications
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance\WinSAT
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ehDRMInit
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\InstallPlayReady
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\mcupdate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURActivate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURDiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RecordingRestart
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RegisterSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC\HotStart
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI\LPRemove
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Background Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Logon Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC\RacTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras\MobilityManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry\RegIdleBackup
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControls
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\AutoWake
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\GadgetManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SessionAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SystemDataProviders
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore\SR
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager\Interactive
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict2
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service\HiveUploadTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup\ConfigNotification
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\SpeedLan
C:\Windows\SysWOW64\net.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\net1.exe
C:\Windows\Temp\fwtsqmfile00.sqm
C:\Windows\SysWOW64\sc.exe
C:\Windows\SysWOW64\en-US\sc.exe.mui
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Windows\sysnative\advapi32.dll
C:\Windows\sysnative\drivers\acpi.sys
C:\Windows\sysnative\drivers\ndis.sys
C:\Windows\sysnative\drivers\mssmbios.sys
C:\Windows\sysnative\drivers\intelppm.sys
C:\Windows\sysnative\drivers\hdaudbus.sys
C:\Windows\sysnative\drivers\portcls.sys
C:\Windows\sysnative\drivers\monitor.sys
C:\Windows\sysnative\en-US\advapi32.dll.mui
C:\Windows\sysnative\drivers\en-US\ACPI.sys.mui
C:\Windows\sysnative\drivers\en-US\ndis.sys.mui
C:\Windows\sysnative\drivers\en-US\mssmbios.sys.mui
C:\Windows\sysnative\drivers\en-US\intelppm.sys.mui
C:\Windows\sysnative\drivers\en-US\HDAudBus.sys.mui
C:\Windows\sysnative\drivers\en-US\portcls.SYS.mui
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe.exe
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONNREAIAAIAW0QFTI4DN.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JOMS269GXXH1EF7U7NE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XGUL1F4093BOFQLKJXLP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT5VN8I2D076GVITBR4U.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0APC9KQAIRF3FLVWD9IP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KR0QH5J9UJHK8Z3F4BND.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM14MRXND5PWCF2BP1WP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR8QMLI8XYDQ7O1Z3YED.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNC9NAZT2MQKDK5UP6U5.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TIPC8XEIBF2PM7T0KC1.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP
C:\Users\user\AppData\Roaming\syslink\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L60QMSWDBQS6FINKPPKD.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHEYL2MXKD5V0WYEDJCI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U4XGHTIMFS7AQH9HMEHF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UEKC1JSB2PR92YIK60W.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VVGAM1OLX1AXXX8KR4X.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLPVWM1WVGDU0OV56FY3.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20HA78JLL7QMTVQGVBJ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K56G7Z35HVS6JP1XYE1T.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHYF6GGTMB8Z5R1SWHOE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB551YI3XM14P1U2I8OA.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP
C:\Windows\Temp\fwtsqmfile00.sqm
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONNREAIAAIAW0QFTI4DN.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7JOMS269GXXH1EF7U7NE.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3459.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bc753.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e343a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3bd8.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3a81.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f80.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF23bd2a9.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e3f9f.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e48e2.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHEYL2MXKD5V0WYEDJCI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U4XGHTIMFS7AQH9HMEHF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4a2a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4b62.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e4d93.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20HA78JLL7QMTVQGVBJ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51f7.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e51e7.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF22e52a2.TMP
C:\Windows\Tasks\SpeedLan.job
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\ue4xHo.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\Preference
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\????????????.exe
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_CLASSES_ROOT\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\UserChoice
HKEY_CLASSES_ROOT\lnkfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_CLASSES_ROOT\SystemFileAssociations\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CLASSES_ROOT\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_CLASSES_ROOT\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NormalizeLinkNetPidls
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.NamespaceCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 6
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\svchost.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetworkAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetworkAccessProtection\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteApp and Desktop Connections Update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SyncCenter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}\Triggers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\GMT Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\PolicyConverter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\PolicyConverter\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\ProgramDataUpdater
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\ProgramDataUpdater\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Proxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Proxy\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\UninstallDeviceTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\UninstallDeviceTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\SystemTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\SystemTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask-Roam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask-Roam\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Consolidator\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\ScheduledDefrag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\ScheduledDefrag\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Scheduled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Scheduled\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Notifications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Notifications\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinSAT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinSAT\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}\Triggers
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\A9A33436-678B-4c9c-A211-7CC38785E79D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ActivateWindowsSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ActivateWindowsSearch\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ConfigureInternetTimeService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ConfigureInternetTimeService\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\DispatchRecoveryTasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\DispatchRecoveryTasks\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ehDRMInit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ehDRMInit\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\InstallPlayReady
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\InstallPlayReady\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\mcupdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\mcupdate\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\MediaCenterRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\MediaCenterRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURActivate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURActivate\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURDiscovery
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURDiscovery\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscovery
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscovery\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW1\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW2\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PeriodicScanRetry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PeriodicScanRetry\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrScheduleTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrScheduleTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RecordingRestart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RecordingRestart\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RegisterSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RegisterSearch\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ReindexSearchRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ReindexSearchRoot\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\SqlLiteRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\SqlLiteRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\UpdateRecordPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\UpdateRecordPath\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D275FD88-B8FD-400B-A59D-FE59BC3D8372}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D275FD88-B8FD-400B-A59D-FE59BC3D8372}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D275FD88-B8FD-400B-A59D-FE59BC3D8372}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50CC8649-FED6-4905-831D-D8034ED04B4A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50CC8649-FED6-4905-831D-D8034ED04B4A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50CC8649-FED6-4905-831D-D8034ED04B4A}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{515C8891-3D60-45E9-98D5-4100057BF1D6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{515C8891-3D60-45E9-98D5-4100057BF1D6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{515C8891-3D60-45E9-98D5-4100057BF1D6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FB82A65-88A8-46D2-B0CE-876FFD40EBC6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FB82A65-88A8-46D2-B0CE-876FFD40EBC6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FB82A65-88A8-46D2-B0CE-876FFD40EBC6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8723428B-C5A3-420F-9DB1-6AB50BFE60F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8723428B-C5A3-420F-9DB1-6AB50BFE60F1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8723428B-C5A3-420F-9DB1-6AB50BFE60F1}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A2D7569-4321-42C4-B9CB-6ED3D330366D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A2D7569-4321-42C4-B9CB-6ED3D330366D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A2D7569-4321-42C4-B9CB-6ED3D330366D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3286C51D-9BA8-4AD8-9959-637B24FA1966}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3286C51D-9BA8-4AD8-9959-637B24FA1966}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3286C51D-9BA8-4AD8-9959-637B24FA1966}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04BA3E5-D533-4984-9DE2-23D411C5F7CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04BA3E5-D533-4984-9DE2-23D411C5F7CA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04BA3E5-D533-4984-9DE2-23D411C5F7CA}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ABF115F-7CE9-4625-B13E-FF36C231B30C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ABF115F-7CE9-4625-B13E-FF36C231B30C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ABF115F-7CE9-4625-B13E-FF36C231B30C}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE71F1B1-5712-4BAF-B188-DBB8703B1012}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE71F1B1-5712-4BAF-B188-DBB8703B1012}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE71F1B1-5712-4BAF-B188-DBB8703B1012}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{657D0ED1-E475-462D-B688-CA0086EAB1AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{657D0ED1-E475-462D-B688-CA0086EAB1AC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{657D0ED1-E475-462D-B688-CA0086EAB1AC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404710DE-5446-4B74-AF37-97D85849362F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404710DE-5446-4B74-AF37-97D85849362F}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404710DE-5446-4B74-AF37-97D85849362F}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F0BD7C0-350C-4F75-92A3-104A10922F80}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F0BD7C0-350C-4F75-92A3-104A10922F80}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F0BD7C0-350C-4F75-92A3-104A10922F80}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCBAD3E-188B-4170-9F99-D18C3501678A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCBAD3E-188B-4170-9F99-D18C3501678A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCBAD3E-188B-4170-9F99-D18C3501678A}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B0F1F6D-C1A2-48A2-AC36-81047F360A83}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B0F1F6D-C1A2-48A2-AC36-81047F360A83}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B0F1F6D-C1A2-48A2-AC36-81047F360A83}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4B8EA3E-232D-48D6-9BF8-D34E912E6F0F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4B8EA3E-232D-48D6-9BF8-D34E912E6F0F}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4B8EA3E-232D-48D6-9BF8-D34E912E6F0F}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53DC79F-5ADC-49B4-A320-8E7AEE3577A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53DC79F-5ADC-49B4-A320-8E7AEE3577A9}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53DC79F-5ADC-49B4-A320-8E7AEE3577A9}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67EC7E74-D876-4298-A252-395A551BD437}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67EC7E74-D876-4298-A252-395A551BD437}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67EC7E74-D876-4298-A252-395A551BD437}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77DCC58C-F940-4DC4-AC48-48B9FED91614}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77DCC58C-F940-4DC4-AC48-48B9FED91614}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77DCC58C-F940-4DC4-AC48-48B9FED91614}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5B22AD-C69B-445B-A290-62E4409F926C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5B22AD-C69B-445B-A290-62E4409F926C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5B22AD-C69B-445B-A290-62E4409F926C}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B38CC0-2DC9-4A2F-8F04-8AC4842F7BC7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B38CC0-2DC9-4A2F-8F04-8AC4842F7BC7}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B38CC0-2DC9-4A2F-8F04-8AC4842F7BC7}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\Extender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\HotStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\HotStart\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BD8AFF9-E621-47AC-B67C-D75CF67AF053}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BD8AFF9-E621-47AC-B67C-D75CF67AF053}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BD8AFF9-E621-47AC-B67C-D75CF67AF053}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\LPRemove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\LPRemove\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB02381F-D652-4B1C-894A-712498C62C51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB02381F-D652-4B1C-894A-712498C62C51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB02381F-D652-4B1C-894A-712498C62C51}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SystemSoundsService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SystemSoundsService\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2470470F-2634-478E-B181-571E98A789BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2470470F-2634-478E-B181-571E98A789BB}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2470470F-2634-478E-B181-571E98A789BB}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\GatherNetworkInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\GatherNetworkInfo\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81540B9F-B5BF-47EB-9C95-BE195BF2C664}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81540B9F-B5BF-47EB-9C95-BE195BF2C664}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81540B9F-B5BF-47EB-9C95-BE195BF2C664}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Background Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Background Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Logon Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Logon Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B4B3398-654B-4215-9DC9-71F37F6D3437}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B4B3398-654B-4215-9DC9-71F37F6D3437}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B4B3398-654B-4215-9DC9-71F37F6D3437}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F1EA04-53D9-4650-912F-498A9C207F1B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F1EA04-53D9-4650-912F-498A9C207F1B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F1EA04-53D9-4650-912F-498A9C207F1B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0CBAB43-44FC-469B-A4CE-87426761FDCE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0CBAB43-44FC-469B-A4CE-87426761FDCE}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0CBAB43-44FC-469B-A4CE-87426761FDCE}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\System\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB3C354D-297A-4EB2-9B58-090F6361906B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB3C354D-297A-4EB2-9B58-090F6361906B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB3C354D-297A-4EB2-9B58-090F6361906B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\RacTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\RacTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EACA24FF-236C-401D-A1E7-B3D5267B8A50}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EACA24FF-236C-401D-A1E7-B3D5267B8A50}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EACA24FF-236C-401D-A1E7-B3D5267B8A50}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\MobilityManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\MobilityManager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC668097-4D6B-4093-AC14-014C09DBF820}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC668097-4D6B-4093-AC14-014C09DBF820}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC668097-4D6B-4093-AC14-014C09DBF820}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\RegIdleBackup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\RegIdleBackup\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControls\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControlsMigration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControlsMigration\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B42DD9C-5A26-4F27-BB95-34603F0997E5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B42DD9C-5A26-4F27-BB95-34603F0997E5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B42DD9C-5A26-4F27-BB95-34603F0997E5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{486D715E-6AA2-44CF-BC48-B6990CBB53C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{486D715E-6AA2-44CF-BC48-B6990CBB53C6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{486D715E-6AA2-44CF-BC48-B6990CBB53C6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\AutoWake
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\AutoWake\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\GadgetManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\GadgetManager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SessionAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SessionAgent\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SystemDataProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SystemDataProviders\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{365A30E2-8B9F-4F68-8F3B-65E2986D53A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{365A30E2-8B9F-4F68-8F3B-65E2986D53A8}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{365A30E2-8B9F-4F68-8F3B-65E2986D53A8}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19A7F090-8B10-456E-8D59-3807952AA3F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19A7F090-8B10-456E-8D59-3807952AA3F0}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19A7F090-8B10-456E-8D59-3807952AA3F0}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{889B8696-D393-49A2-9800-67D5C84A9F26}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{889B8696-D393-49A2-9800-67D5C84A9F26}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{889B8696-D393-49A2-9800-67D5C84A9F26}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{378232A2-52F4-4AA6-83BB-E5970DBC55D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{378232A2-52F4-4AA6-83BB-E5970DBC55D7}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{378232A2-52F4-4AA6-83BB-E5970DBC55D7}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9F510C-95F4-499A-90C8-BAC5BC372FF4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9F510C-95F4-499A-90C8-BAC5BC372FF4}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9F510C-95F4-499A-90C8-BAC5BC372FF4}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\SR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\SR\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{994C86AD-A929-4B2C-88A0-4E25A107A029}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{994C86AD-A929-4B2C-88A0-4E25A107A029}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{994C86AD-A929-4B2C-88A0-4E25A107A029}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Interactive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Interactive\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F7B7221-AE8F-44F3-BA82-F7D260F51964}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F7B7221-AE8F-44F3-BA82-F7D260F51964}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F7B7221-AE8F-44F3-BA82-F7D260F51964}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict1\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict2\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{088482FA-65B8-4E17-9ABF-1DCD48E8D373}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{088482FA-65B8-4E17-9ABF-1DCD48E8D373}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{088482FA-65B8-4E17-9ABF-1DCD48E8D373}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F06BFE-A3C8-40E3-846A-6E6F4000C238}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F06BFE-A3C8-40E3-846A-6E6F4000C238}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F06BFE-A3C8-40E3-846A-6E6F4000C238}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\MsCtfMonitor\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8B01A2-11FF-4C41-848F-508EF4F00CF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8B01A2-11FF-4C41-848F-508EF4F00CF7}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8B01A2-11FF-4C41-848F-508EF4F00CF7}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\SynchronizeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\SynchronizeTime\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\UPnPHostConfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\UPnPHostConfig\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A40E926-9E86-4B89-9CFD-B12311724371}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A40E926-9E86-4B89-9CFD-B12311724371}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A40E926-9E86-4B89-9CFD-B12311724371}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\HiveUploadTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\HiveUploadTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6738BA6E-EA75-4B6B-B8B8-71F0336DD8EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6738BA6E-EA75-4B6B-B8B8-71F0336DD8EF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6738BA6E-EA75-4B6B-B8B8-71F0336DD8EF}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\ResolutionHost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\ResolutionHost\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9435F817-FED2-454E-88CD-7F78FDA62C48}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9435F817-FED2-454E-88CD-7F78FDA62C48}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9435F817-FED2-454E-88CD-7F78FDA62C48}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\QueueReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\QueueReporting\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E22A8667-F75B-4BA9-BA46-067ED4429DE8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E22A8667-F75B-4BA9-BA46-067ED4429DE8}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E22A8667-F75B-4BA9-BA46-067ED4429DE8}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\UpdateLibrary\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{753C47AE-EC5E-44B3-95A9-2C8E553F0E39}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{753C47AE-EC5E-44B3-95A9-2C8E553F0E39}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{753C47AE-EC5E-44B3-95A9-2C8E553F0E39}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Calibration Loader
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Calibration Loader\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A35BB7A6-5F0C-4C9F-8450-2B3BED532D51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A35BB7A6-5F0C-4C9F-8450-2B3BED532D51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A35BB7A6-5F0C-4C9F-8450-2B3BED532D51}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77D8C4FE-AD05-41A3-9BFD-73AAF4EB8281}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77D8C4FE-AD05-41A3-9BFD-73AAF4EB8281}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77D8C4FE-AD05-41A3-9BFD-73AAF4EB8281}\Triggers
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SpeedLan.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SpeedLan.job.fp
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeedLan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF5B78E8-1581-4B10-B0CE-1363D82E22C9}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF5B78E8-1581-4B10-B0CE-1363D82E22C9}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeedLan\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeedLan\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF5B78E8-1581-4B10-B0CE-1363D82E22C9}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF5B78E8-1581-4B10-B0CE-1363D82E22C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF5B78E8-1581-4B10-B0CE-1363D82E22C9}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wmi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\wmi
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\net.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\net1.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000C-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000C-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000C-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PreviousServiceShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\winmgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\sc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{20F627E7-698F-40B0-90B3-A74E8735E5D2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{500489C5-87D1-459A-8E3D-E58ACB8BBB9F}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{52DEB809-F42F-4C8E-B4AE-03F95F2FDE63}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{67D5A612-B2EE-4E88-8D9E-AF0260B63966}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\AppId
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\WDM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\IDE\DiskVMware_Virtual_SATA_Hard_Drive__________00000001\6&158e87a7&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ACPI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NDIS\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NDIS\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssmbios\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssmbios\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelppm\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelppm\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HDAudBus\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HDAudBus\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\portcls
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\monitor\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\monitor\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\advapi32.dll[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\en-US\advapi32.dll.mui[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ACPI.sys[ACPIMOFResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ndis.sys[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ndis.sys.mui[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\mssmbios.sys[MofResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\mssmbios.sys.mui[MofResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\intelppm.sys[PROCESSORWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\intelppm.sys.mui[PROCESSORWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\HDAudBus.sys[HDAudioMofName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\HDAudBus.sys.mui[HDAudioMofName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\System32\Drivers\portcls.SYS[PortclsMof]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\System32\Drivers\en-US\portcls.SYS.mui[PortclsMof]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\monitor.sys[MonitorWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{49353C93-516B-11D1-AEA6-00C04FB68820}
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Descriptio