CAPE

Detections: TrickBot Triggered CAPE Tasks: Task #87756: TrickBot


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-08-13 22:42:50 2019-08-13 22:47:19 269 seconds Show Options Show Log
route = internet
procdump = 1
2019-08-13 23:42:51,000 [root] INFO: Date set to: 08-13-19, time set to: 22:42:51, timeout set to: 200
2019-08-13 23:42:51,062 [root] DEBUG: Starting analyzer from: C:\iatizuh
2019-08-13 23:42:51,062 [root] DEBUG: Storing results at: C:\CAMuQTV
2019-08-13 23:42:51,062 [root] DEBUG: Pipe server name: \\.\PIPE\LRQQUCSjJ
2019-08-13 23:42:51,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 23:42:51,062 [root] INFO: Automatically selected analysis package "exe"
2019-08-13 23:42:51,950 [root] DEBUG: Started auxiliary module Browser
2019-08-13 23:42:51,950 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 23:42:51,950 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 23:42:52,964 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 23:42:52,964 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 23:42:52,964 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 23:42:52,964 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 23:42:52,980 [root] DEBUG: Started auxiliary module Human
2019-08-13 23:42:52,980 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 23:42:52,980 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 23:42:52,980 [root] DEBUG: Started auxiliary module Usage
2019-08-13 23:42:52,980 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-08-13 23:42:52,980 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-08-13 23:42:53,028 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\HNSEfLxEppqeUq.exe" with arguments "" with pid 1420
2019-08-13 23:42:53,028 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:53,028 [lib.api.process] INFO: 32-bit DLL to inject is C:\iatizuh\dll\GUPRYLG.dll, loader C:\iatizuh\bin\RFPTHVd.exe
2019-08-13 23:42:53,059 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:53,059 [root] DEBUG: Loader: Injecting process 1420 (thread 1312) with C:\iatizuh\dll\GUPRYLG.dll.
2019-08-13 23:42:53,059 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:42:53,059 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\GUPRYLG.dll.
2019-08-13 23:42:53,073 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77680000
2019-08-13 23:42:53,073 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 23:42:53,073 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:53,073 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\GUPRYLG.dll.
2019-08-13 23:42:53,073 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1420
2019-08-13 23:42:55,086 [lib.api.process] INFO: Successfully resumed process with pid 1420
2019-08-13 23:42:55,086 [root] INFO: Added new process to list with pid: 1420
2019-08-13 23:42:55,101 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:55,101 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:55,148 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,148 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:55,148 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,148 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,148 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,148 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1420 at 0x74b50000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:42:55,148 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\HNSEfLxEppqeUq.exe".
2019-08-13 23:42:55,148 [root] INFO: Monitor successfully loaded in process with pid 1420.
2019-08-13 23:42:55,148 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:42:55,180 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:42:55,180 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:42:55,180 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:42:55,196 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:42:55,196 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:42:55,211 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:42:55,211 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:42:55,226 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:42:55,226 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:42:55,257 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 23:42:55,273 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:42:55,273 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:42:55,289 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:42:55,289 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:42:55,398 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:42:55,398 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:42:55,398 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:42:55,398 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:42:55,414 [root] DEBUG: DLL unloaded from 0x76430000.
2019-08-13 23:42:55,430 [root] INFO: Announced 32-bit process name: ОЛкАесмЫфц.exe pid: 1448
2019-08-13 23:42:55,430 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,430 [lib.api.process] INFO: 32-bit DLL to inject is C:\iatizuh\dll\GUPRYLG.dll, loader C:\iatizuh\bin\RFPTHVd.exe
2019-08-13 23:42:55,446 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:55,446 [root] DEBUG: Loader: Injecting process 1448 (thread 840) with C:\iatizuh\dll\GUPRYLG.dll.
2019-08-13 23:42:55,446 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:42:55,446 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\GUPRYLG.dll.
2019-08-13 23:42:55,446 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77680000
2019-08-13 23:42:55,446 [root] DEBUG: InjectDllViaIAT: Allocated 0x1128 bytes for new import table at 0x00490000.
2019-08-13 23:42:55,446 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:55,446 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\GUPRYLG.dll.
2019-08-13 23:42:55,446 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1448
2019-08-13 23:42:55,446 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:55,446 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:55,446 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:55,460 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,460 [root] DEBUG: DLL unloaded from 0x74A20000.
2019-08-13 23:42:55,460 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1420
2019-08-13 23:42:55,460 [root] DEBUG: GetHookCallerBase: thread 1312 (handle 0x0), return address 0x00407C87, allocation base 0x00400000.
2019-08-13 23:42:55,460 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:42:55,460 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:42:55,460 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:42:55,460 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:55,460 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1448 at 0x74b50000, image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:42:55,460 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\ProgramData\??????????.exe".
2019-08-13 23:42:55,460 [root] INFO: Added new process to list with pid: 1448
2019-08-13 23:42:55,460 [root] INFO: Monitor successfully loaded in process with pid 1448.
2019-08-13 23:42:55,476 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:42:55,476 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\1420_12679792345522114382019
2019-08-13 23:42:55,476 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82600.
2019-08-13 23:42:55,476 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-08-13 23:42:55,476 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:42:55,476 [root] DEBUG: DLL unloaded from 0x74C10000.
2019-08-13 23:42:55,476 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:42:55,476 [root] INFO: Notified of termination of process with pid 1420.
2019-08-13 23:42:55,476 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:42:55,476 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:55,492 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:42:55,492 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:42:55,507 [root] DEBUG: DLL unloaded from 0x75D80000.
2019-08-13 23:42:55,555 [root] DEBUG: set_caller_info: Adding region at 0x04640000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:42:55,585 [root] DEBUG: DLL loaded at 0x74920000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:42:55,585 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:42:55,601 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:42:55,617 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:42:55,617 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:42:55,648 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:55,694 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:55,710 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:42:55,726 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:42:55,726 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:42:55,726 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:42:55,742 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:42:55,742 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:42:55,742 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:42:55,757 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:42:55,757 [root] DEBUG: DLL unloaded from 0x76430000.
2019-08-13 23:42:55,757 [root] INFO: Announced 64-bit process name: cmd.exe pid: 924
2019-08-13 23:42:55,789 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,789 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:55,789 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:55,803 [root] DEBUG: Loader: Injecting process 924 (thread 1932) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,803 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:55,803 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,803 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:55,819 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:55,835 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:55,835 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,835 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 924
2019-08-13 23:42:55,835 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:55,835 [root] DEBUG: DLL unloaded from 0x74920000.
2019-08-13 23:42:55,835 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:55,835 [root] DEBUG: DLL unloaded from 0x734E0000.
2019-08-13 23:42:55,835 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:55,851 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,851 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:55,851 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:55,851 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:55,867 [root] INFO: Announced 64-bit process name: cmd.exe pid: 572
2019-08-13 23:42:55,867 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:55,867 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,867 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:55,867 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:55,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:55,881 [root] DEBUG: Loader: Injecting process 572 (thread 560) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,881 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:55,881 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,881 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:55,881 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:55,881 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:55,898 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 924 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x0000000000084000-0x0000000000180000
2019-08-13 23:42:55,898 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:55,898 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc stop WinDefend.
2019-08-13 23:42:55,898 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,898 [root] INFO: Added new process to list with pid: 924
2019-08-13 23:42:55,898 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 572
2019-08-13 23:42:55,898 [root] INFO: Monitor successfully loaded in process with pid 924.
2019-08-13 23:42:55,898 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:55,898 [root] DEBUG: DLL unloaded from 0x72A60000.
2019-08-13 23:42:55,898 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:55,914 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:55,914 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:55,914 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:55,914 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:55,914 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1312
2019-08-13 23:42:55,914 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:55,928 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,928 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:55,928 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:55,928 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:55,928 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:55,928 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:55,928 [root] DEBUG: Loader: Injecting process 1312 (thread 332) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,944 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 572 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x0000000000224000-0x0000000000320000
2019-08-13 23:42:55,944 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:55,944 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c sc delete WinDefend.
2019-08-13 23:42:55,944 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,944 [root] INFO: Announced 64-bit process name: sc.exe pid: 980
2019-08-13 23:42:55,944 [root] INFO: Added new process to list with pid: 572
2019-08-13 23:42:55,944 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:55,944 [root] INFO: Monitor successfully loaded in process with pid 572.
2019-08-13 23:42:55,944 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,944 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:55,944 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:55,944 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:55,944 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:55,960 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,960 [root] INFO: Announced 64-bit process name: sc.exe pid: 2120
2019-08-13 23:42:55,960 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:55,960 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1312
2019-08-13 23:42:55,960 [root] DEBUG: Loader: Injecting process 980 (thread 1464) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,960 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,960 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:55,960 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:55,960 [root] DEBUG: Process image base: 0x00000000FFCE0000
2019-08-13 23:42:55,960 [root] DEBUG: DLL unloaded from 0x734E0000.
2019-08-13 23:42:55,960 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,960 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:55,960 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:55,976 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFCEF000 - 0x000007FEFF9A0000
2019-08-13 23:42:55,976 [root] DEBUG: Loader: Injecting process 2120 (thread 2124) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,976 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:55,976 [root] DEBUG: Process image base: 0x00000000FFCE0000
2019-08-13 23:42:55,976 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FFCF0000.
2019-08-13 23:42:55,976 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:55,976 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:55,976 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,976 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:55,976 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:55,976 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFCEF000 - 0x000007FEFF9A0000
2019-08-13 23:42:55,976 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:55,976 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,976 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FFCF0000.
2019-08-13 23:42:55,992 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2296
2019-08-13 23:42:55,992 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 980
2019-08-13 23:42:55,992 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:55,992 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:55,992 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:55,992 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:55,992 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:55,992 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:55,992 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:55,992 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2120
2019-08-13 23:42:55,992 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1312 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x00000000000E4000-0x00000000001E0000
2019-08-13 23:42:55,992 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,006 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,006 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,006 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:42:56,006 [root] DEBUG: Loader: Injecting process 2296 (thread 2300) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,006 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,006 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,006 [root] INFO: Added new process to list with pid: 1312
2019-08-13 23:42:56,006 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:56,006 [root] INFO: Monitor successfully loaded in process with pid 1312.
2019-08-13 23:42:56,006 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,006 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,006 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,023 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:56,023 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,023 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:56,023 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,023 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,023 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,023 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,023 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,038 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2296
2019-08-13 23:42:56,038 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,038 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,038 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:56,038 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 980 at 0x00000000746A0000, image base 0x00000000FFCE0000, stack from 0x00000000001A5000-0x00000000001B0000
2019-08-13 23:42:56,038 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2120 at 0x00000000746A0000, image base 0x00000000FFCE0000, stack from 0x0000000000186000-0x0000000000190000
2019-08-13 23:42:56,038 [root] DEBUG: DLL unloaded from 0x72A60000.
2019-08-13 23:42:56,038 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  stop WinDefend.
2019-08-13 23:42:56,038 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\sc  delete WinDefend.
2019-08-13 23:42:56,038 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:56,038 [root] INFO: Added new process to list with pid: 980
2019-08-13 23:42:56,038 [root] INFO: Monitor successfully loaded in process with pid 980.
2019-08-13 23:42:56,038 [root] INFO: Added new process to list with pid: 2120
2019-08-13 23:42:56,038 [root] INFO: Monitor successfully loaded in process with pid 2120.
2019-08-13 23:42:56,053 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:56,053 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:56,053 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,053 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2532
2019-08-13 23:42:56,053 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:56,053 [root] DEBUG: DLL unloaded from 0x000007FEFE5F0000.
2019-08-13 23:42:56,053 [root] DEBUG: DLL unloaded from 0x000007FEFE5F0000.
2019-08-13 23:42:56,053 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,053 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,053 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2120
2019-08-13 23:42:56,069 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2580
2019-08-13 23:42:56,069 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,069 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,069 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 980
2019-08-13 23:42:56,069 [root] DEBUG: GetHookCallerBase: thread 2124 (handle 0x0), return address 0x00000000FFCE107F, allocation base 0x00000000FFCE0000.
2019-08-13 23:42:56,069 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,069 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,069 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,069 [root] DEBUG: GetHookCallerBase: thread 1464 (handle 0x0), return address 0x00000000FFCE107F, allocation base 0x00000000FFCE0000.
2019-08-13 23:42:56,069 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFCE0000.
2019-08-13 23:42:56,069 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,069 [root] DEBUG: Loader: Injecting process 2532 (thread 2536) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,085 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFCE0000.
2019-08-13 23:42:56,085 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,085 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,085 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFCE0000.
2019-08-13 23:42:56,085 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:56,085 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFCE0000.
2019-08-13 23:42:56,085 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:42:56,085 [root] DEBUG: Loader: Injecting process 2580 (thread 2584) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,085 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,085 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,085 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:42:56,085 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:42:56,085 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2296 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x00000000000F4000-0x00000000001F0000
2019-08-13 23:42:56,085 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:56,085 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:56,085 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:42:56,085 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,085 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:56,101 [root] INFO: Added new process to list with pid: 2296
2019-08-13 23:42:56,101 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:56,101 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,101 [root] INFO: Monitor successfully loaded in process with pid 2296.
2019-08-13 23:42:56,101 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:56,101 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:42:56,101 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,101 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,101 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:56,101 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2532
2019-08-13 23:42:56,101 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:56,101 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,101 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:56,101 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2120_14517434111623114382019
2019-08-13 23:42:56,115 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2792
2019-08-13 23:42:56,115 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2580
2019-08-13 23:42:56,115 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:42:56,115 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:56,115 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,115 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,115 [root] DEBUG: DLL unloaded from 0x734E0000.
2019-08-13 23:42:56,115 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:56,115 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,115 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,115 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,131 [root] DEBUG: Loader: Injecting process 2792 (thread 2796) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,131 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:56,131 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,131 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:56,131 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:56,131 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,131 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,131 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,131 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2928
2019-08-13 23:42:56,131 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:56,148 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,148 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,148 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:56,148 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,148 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,148 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,148 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,148 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,148 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,148 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,148 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2580 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x00000000000F4000-0x00000000001F0000
2019-08-13 23:42:56,163 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2792
2019-08-13 23:42:56,163 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,163 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:42:56,163 [root] DEBUG: Loader: Injecting process 2928 (thread 2932) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,163 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,163 [root] INFO: Added new process to list with pid: 2580
2019-08-13 23:42:56,163 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:56,163 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,163 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,163 [root] INFO: Monitor successfully loaded in process with pid 2580.
2019-08-13 23:42:56,163 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,163 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2532 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x00000000001A6000-0x00000000001B0000
2019-08-13 23:42:56,163 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,163 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:56,163 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:42:56,163 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableRealtimeMonitoring $true.
2019-08-13 23:42:56,163 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:42:56,178 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:56,178 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:56,178 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,178 [root] INFO: Added new process to list with pid: 2532
2019-08-13 23:42:56,178 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,178 [root] INFO: Monitor successfully loaded in process with pid 2532.
2019-08-13 23:42:56,178 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2064
2019-08-13 23:42:56,178 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,178 [root] INFO: Notified of termination of process with pid 980.
2019-08-13 23:42:56,210 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,210 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,210 [root] INFO: Notified of termination of process with pid 2120.
2019-08-13 23:42:56,210 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,210 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2928
2019-08-13 23:42:56,210 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,210 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 924
2019-08-13 23:42:56,210 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 572
2019-08-13 23:42:56,210 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:56,226 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,226 [root] DEBUG: GetHookCallerBase: thread 1932 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:42:56,226 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,226 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:42:56,226 [root] DEBUG: DLL unloaded from 0x72A60000.
2019-08-13 23:42:56,226 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2792 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x00000000000B5000-0x00000000000C0000
2019-08-13 23:42:56,226 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,226 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:42:56,226 [root] DEBUG: Loader: Injecting process 2064 (thread 2072) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,226 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:42:56,240 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:56,240 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:56,240 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBehaviorMonitoring $true.
2019-08-13 23:42:56,240 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,240 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:56,240 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:42:56,240 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:42:56,240 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:56,240 [root] INFO: Added new process to list with pid: 2792
2019-08-13 23:42:56,240 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,240 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,256 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:56,256 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:56,256 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:42:56,256 [root] INFO: Monitor successfully loaded in process with pid 2792.
2019-08-13 23:42:56,256 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:56,256 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:56,256 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:56,256 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:42:56,256 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,256 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:56,256 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:56,272 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:56,272 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2392
2019-08-13 23:42:56,272 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,272 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:42:56,272 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:56,272 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,288 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:42:56,288 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,288 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,288 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,288 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\572_19375676825622114382019
2019-08-13 23:42:56,288 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:56,288 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2928 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x0000000000084000-0x0000000000180000
2019-08-13 23:42:56,288 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,288 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:42:56,288 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2064
2019-08-13 23:42:56,288 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:42:56,303 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:42:56,303 [root] INFO: Notified of termination of process with pid 924.
2019-08-13 23:42:56,303 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,303 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:56,303 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:42:56,303 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:56,303 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,303 [root] INFO: Added new process to list with pid: 2928
2019-08-13 23:42:56,303 [root] DEBUG: Loader: Injecting process 2392 (thread 2400) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,319 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:56,319 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:56,319 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,319 [root] INFO: Monitor successfully loaded in process with pid 2928.
2019-08-13 23:42:56,319 [root] INFO: Notified of termination of process with pid 572.
2019-08-13 23:42:56,319 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:56,335 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,335 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:56,335 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:56,335 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:56,335 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,335 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,335 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2588
2019-08-13 23:42:56,349 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:56,349 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,365 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:56,365 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:56,365 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,365 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,365 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,365 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,365 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:56,365 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,381 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2064 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 23:42:56,381 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:56,381 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2392
2019-08-13 23:42:56,381 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,381 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableBlockAtFirstSeen $true.
2019-08-13 23:42:56,381 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:56,381 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:56,381 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:56,381 [root] DEBUG: Loader: Injecting process 2588 (thread 2608) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,381 [root] INFO: Added new process to list with pid: 2064
2019-08-13 23:42:56,397 [root] DEBUG: DLL unloaded from 0x734E0000.
2019-08-13 23:42:56,397 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:56,397 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:56,397 [root] INFO: Monitor successfully loaded in process with pid 2064.
2019-08-13 23:42:56,397 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,397 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:56,397 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:56,397 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,413 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,413 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:56,413 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:56,413 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:56,413 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:56,413 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,413 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:56,413 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:56,413 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:56,413 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:56,427 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:56,427 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,427 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:56,427 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2948
2019-08-13 23:42:56,427 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,427 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:56,427 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:56,427 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,427 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:56,444 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,444 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,444 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:56,474 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2588
2019-08-13 23:42:56,474 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:56,474 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:56,474 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,474 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,474 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:56,490 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2392 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x00000000001D4000-0x00000000002D0000
2019-08-13 23:42:56,490 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:56,490 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:56,490 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:56,490 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,506 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:42:56,506 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:56,709 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:56,724 [root] INFO: Added new process to list with pid: 2392
2019-08-13 23:42:56,724 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:56,724 [root] INFO: Monitor successfully loaded in process with pid 2392.
2019-08-13 23:42:56,772 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:56,772 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:56,772 [root] DEBUG: Loader: Injecting process 2948 (thread 2952) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,786 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:56,786 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:56,786 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2588 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x0000000000146000-0x0000000000150000
2019-08-13 23:42:56,818 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:56,818 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:56,818 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2972
2019-08-13 23:42:56,834 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:56,834 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIOAVProtection $true.
2019-08-13 23:42:56,834 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,834 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:56,834 [root] INFO: Added new process to list with pid: 2588
2019-08-13 23:42:56,834 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:56,834 [root] INFO: Monitor successfully loaded in process with pid 2588.
2019-08-13 23:42:56,849 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:56,865 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:56,881 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:56,881 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:56,881 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:56,881 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:56,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:56,881 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:56,881 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:56,895 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:56,895 [root] DEBUG: Loader: Injecting process 2972 (thread 2988) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,927 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:56,927 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:56,927 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:56,927 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:56,927 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:56,943 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:56,943 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:56,959 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:56,959 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:56,959 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:57,068 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,084 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2948
2019-08-13 23:42:57,084 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:57,084 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:57,084 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:57,084 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:57,084 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:57,098 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:57,098 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:57,098 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:57,098 [root] DEBUG: DLL unloaded from 0x72A60000.
2019-08-13 23:42:57,098 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:57,098 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:57,098 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:57,098 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:57,098 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,098 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:57,115 [root] INFO: Process with pid 1420 has terminated
2019-08-13 23:42:57,115 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:57,115 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2972
2019-08-13 23:42:57,130 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:57,130 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:57,130 [root] INFO: Process with pid 924 has terminated
2019-08-13 23:42:57,130 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:57,145 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:57,145 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:57,145 [root] INFO: Process with pid 980 has terminated
2019-08-13 23:42:57,145 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:57,145 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2512
2019-08-13 23:42:57,145 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:57,145 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:57,145 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:57,193 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2948 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 23:42:57,193 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:57,364 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:42:57,380 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:57,380 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:57,380 [root] INFO: Added new process to list with pid: 2948
2019-08-13 23:42:57,380 [root] INFO: Monitor successfully loaded in process with pid 2948.
2019-08-13 23:42:57,441 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:57,441 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:57,457 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:57,457 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2044
2019-08-13 23:42:57,473 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:57,489 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:57,505 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:57,505 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:57,519 [root] DEBUG: Loader: Injecting process 2512 (thread 2520) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,519 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:57,519 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:57,536 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2972 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x0000000000145000-0x0000000000150000
2019-08-13 23:42:57,536 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:57,536 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:57,552 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:57,552 [root] DEBUG: Loader: Injecting process 2044 (thread 2556) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,552 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisablePrivacyMode $true.
2019-08-13 23:42:57,552 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:57,552 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:57,552 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,552 [root] INFO: Added new process to list with pid: 2972
2019-08-13 23:42:57,552 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,552 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:57,552 [root] INFO: Monitor successfully loaded in process with pid 2972.
2019-08-13 23:42:57,566 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:57,566 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:57,566 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:57,566 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:57,566 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:57,566 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:57,566 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:57,566 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,582 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,582 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:57,582 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2512
2019-08-13 23:42:57,582 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2044
2019-08-13 23:42:57,582 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:57,582 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:57,598 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:57,598 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:57,598 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:57,598 [root] DEBUG: DLL unloaded from 0x734E0000.
2019-08-13 23:42:57,598 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:57,598 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:57,598 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:57,598 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:57,614 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:57,614 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:57,630 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:57,630 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:57,644 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:57,644 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:57,644 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:57,644 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:57,644 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:57,661 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:57,661 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2408
2019-08-13 23:42:57,661 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:57,661 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:57,661 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:57,676 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:57,676 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:57,676 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2044 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x00000000000B5000-0x00000000000C0000
2019-08-13 23:42:57,676 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2512 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x0000000000144000-0x0000000000240000
2019-08-13 23:42:57,676 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:57,676 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:57,676 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableIntrusionPreventionSystem $true.
2019-08-13 23:42:57,676 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:42:57,676 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:57,691 [root] INFO: Added new process to list with pid: 2044
2019-08-13 23:42:57,691 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:57,691 [root] INFO: Monitor successfully loaded in process with pid 2044.
2019-08-13 23:42:57,691 [root] INFO: Added new process to list with pid: 2512
2019-08-13 23:42:57,691 [root] DEBUG: Loader: Injecting process 2408 (thread 1464) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,691 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:57,707 [root] INFO: Monitor successfully loaded in process with pid 2512.
2019-08-13 23:42:57,707 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:57,723 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:57,723 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:57,723 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:57,723 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,723 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:57,723 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:57,739 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2208
2019-08-13 23:42:57,739 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:57,739 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:57,739 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:57,739 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:57,739 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:57,739 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:57,739 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:57,753 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:57,753 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:57,753 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:57,753 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,753 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:57,753 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2408
2019-08-13 23:42:57,753 [root] DEBUG: Loader: Injecting process 2208 (thread 2276) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,786 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:57,786 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:57,786 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:57,786 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:57,786 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:57,786 [root] DEBUG: DLL unloaded from 0x72A60000.
2019-08-13 23:42:57,786 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:57,801 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:57,801 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,832 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:57,848 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:57,848 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:57,864 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:57,864 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:57,864 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:57,864 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:57,864 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:57,878 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:57,878 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:57,878 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:57,878 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2732
2019-08-13 23:42:57,878 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:57,878 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:57,957 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:57,957 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:57,957 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2208
2019-08-13 23:42:58,003 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2408 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x00000000000B4000-0x00000000001B0000
2019-08-13 23:42:58,003 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:58,003 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:58,003 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:58,019 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:42:58,035 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:58,082 [root] INFO: Added new process to list with pid: 2408
2019-08-13 23:42:58,082 [root] INFO: Monitor successfully loaded in process with pid 2408.
2019-08-13 23:42:58,098 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:58,098 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:58,098 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:42:58,098 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:58,112 [root] DEBUG: Loader: Injecting process 2732 (thread 2488) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,112 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:58,112 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:58,128 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:58,128 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:58,128 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:58,128 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:42:58,128 [root] INFO: Announced 64-bit process name: powershell.exe pid: 560
2019-08-13 23:42:58,128 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:58,144 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:58,144 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,144 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:58,160 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2208 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x0000000000135000-0x0000000000140000
2019-08-13 23:42:58,160 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:58,176 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:58,176 [root] INFO: Process with pid 572 has terminated
2019-08-13 23:42:58,176 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -SevereThreatDefaultAction 6.
2019-08-13 23:42:58,176 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:58,190 [root] INFO: Process with pid 2120 has terminated
2019-08-13 23:42:58,190 [root] INFO: Added new process to list with pid: 2208
2019-08-13 23:42:58,190 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:58,190 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:58,190 [root] INFO: Monitor successfully loaded in process with pid 2208.
2019-08-13 23:42:58,190 [root] DEBUG: Loader: Injecting process 560 (thread 320) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,190 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,190 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2732
2019-08-13 23:42:58,190 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:58,207 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:58,207 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:58,207 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,207 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:58,207 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:58,221 [root] DEBUG: DLL unloaded from 0x734E0000.
2019-08-13 23:42:58,221 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:58,221 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:58,221 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:58,221 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:58,221 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:58,221 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:58,221 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:58,237 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:42:58,237 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:58,237 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:58,237 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:58,237 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:42:58,253 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,253 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:58,253 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:58,253 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 560
2019-08-13 23:42:58,253 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2240
2019-08-13 23:42:58,269 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:58,269 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:58,285 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:58,285 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:58,285 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:58,285 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:58,285 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2732 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x0000000000074000-0x0000000000170000
2019-08-13 23:42:58,285 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:58,285 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:58,299 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:42:58,299 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:58,299 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:42:58,299 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:58,315 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:58,315 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:58,315 [root] INFO: Added new process to list with pid: 2732
2019-08-13 23:42:58,315 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:42:58,315 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:58,315 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:58,315 [root] DEBUG: Loader: Injecting process 2240 (thread 2260) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,315 [root] INFO: Monitor successfully loaded in process with pid 2732.
2019-08-13 23:42:58,332 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:58,332 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:58,332 [root] DEBUG: Process image base: 0x000000004AB10000
2019-08-13 23:42:58,362 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:58,362 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 560 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x0000000000135000-0x0000000000140000
2019-08-13 23:42:58,362 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:58,362 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,378 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -LowThreatDefaultAction 6.
2019-08-13 23:42:58,378 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2624
2019-08-13 23:42:58,378 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004AB69000 - 0x0000000077680000
2019-08-13 23:42:58,394 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:58,410 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:58,410 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:58,410 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:58,424 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004AB70000.
2019-08-13 23:42:58,424 [root] DEBUG: DLL loaded at 0x000007FEF98C0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:42:58,424 [root] INFO: Added new process to list with pid: 560
2019-08-13 23:42:58,424 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:58,424 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:58,424 [root] INFO: Monitor successfully loaded in process with pid 560.
2019-08-13 23:42:58,440 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:58,440 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,440 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:58,440 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2240
2019-08-13 23:42:58,440 [root] DEBUG: Loader: Injecting process 2624 (thread 2648) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,456 [root] DEBUG: DLL unloaded from 0x760D0000.
2019-08-13 23:42:58,456 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:58,456 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:58,456 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:58,456 [root] DEBUG: DLL loaded at 0x000007FEF29E0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:42:58,456 [root] DEBUG: DLL unloaded from 0x72A60000.
2019-08-13 23:42:58,456 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:58,471 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:58,471 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,471 [root] DEBUG: DLL loaded at 0x00000000745D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:42:58,487 [root] DEBUG: DLL unloaded from 0x77230000.
2019-08-13 23:42:58,487 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:58,487 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:58,503 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:58,503 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:58,503 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:58,503 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:58,519 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:58,519 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:58,533 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:58,533 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:58,549 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,549 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:58,565 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2624
2019-08-13 23:42:58,565 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:58,581 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2240 at 0x00000000746A0000, image base 0x000000004AB10000, stack from 0x0000000000154000-0x0000000000250000
2019-08-13 23:42:58,581 [root] DEBUG: DLL loaded at 0x000007FEF1B00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:42:58,581 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:58,581 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:58,596 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\cmd.exe" \c powershell Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:42:58,628 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:58,644 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:58,644 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:42:58,644 [root] INFO: Added new process to list with pid: 2240
2019-08-13 23:42:58,644 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:58,644 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:58,644 [root] INFO: Monitor successfully loaded in process with pid 2240.
2019-08-13 23:42:58,674 [root] DEBUG: DLL loaded at 0x000007FEFD460000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:42:58,674 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:58,674 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:58,674 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1316
2019-08-13 23:42:58,674 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:58,674 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:58,674 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:58,690 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:42:58,690 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:42:58,690 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:58,736 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:58,736 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2624 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x0000000000265000-0x0000000000270000
2019-08-13 23:42:58,753 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -ModerateThreatDefaultAction 6.
2019-08-13 23:42:58,753 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:42:58,753 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:58,753 [root] INFO: Added new process to list with pid: 2624
2019-08-13 23:42:58,767 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:58,767 [root] INFO: Monitor successfully loaded in process with pid 2624.
2019-08-13 23:42:58,767 [root] DEBUG: Loader: Injecting process 1316 (thread 2388) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,767 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:58,767 [root] DEBUG: Process image base: 0x000000013F330000
2019-08-13 23:42:58,767 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:58,783 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,783 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:58,783 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F3A7000 - 0x000007FEFF9A0000
2019-08-13 23:42:58,799 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:58,799 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F3B0000.
2019-08-13 23:42:58,799 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:42:58,799 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:58,815 [root] DEBUG: DLL loaded at 0x000007FEF10D0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:42:58,815 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:58,831 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:42:58,831 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:58,831 [root] DEBUG: DLL loaded at 0x000007FEF3C90000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:42:58,831 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1316
2019-08-13 23:42:58,831 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:58,845 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:42:58,845 [root] DEBUG: Process dumps enabled.
2019-08-13 23:42:58,878 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:58,892 [root] INFO: Disabling sleep skipping.
2019-08-13 23:42:58,924 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:58,940 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:58,940 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:42:58,940 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:58,940 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:42:58,956 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:58,956 [root] WARNING: Unable to hook LockResource
2019-08-13 23:42:59,002 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:42:59,002 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1316 at 0x00000000746A0000, image base 0x000000013F330000, stack from 0x0000000000165000-0x0000000000170000
2019-08-13 23:42:59,017 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\powershell  Set-MpPreference -DisableScriptScanning $true.
2019-08-13 23:42:59,017 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:59,017 [root] INFO: Added new process to list with pid: 1316
2019-08-13 23:42:59,049 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:42:59,049 [root] INFO: Monitor successfully loaded in process with pid 1316.
2019-08-13 23:42:59,065 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:59,065 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:59,079 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:42:59,095 [root] DEBUG: DLL loaded at 0x000007FEFE9E0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:42:59,111 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:42:59,127 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:42:59,127 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:42:59,157 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:42:59,174 [root] DEBUG: DLL loaded at 0x000007FEFBDB0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:42:59,174 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:42:59,174 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:42:59,220 [root] DEBUG: DLL loaded at 0x000007FEFE150000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:42:59,220 [root] DEBUG: DLL loaded at 0x000007FEFD8D0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:42:59,220 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:42:59,236 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:59,236 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:42:59,236 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:59,299 [root] DEBUG: DLL loaded at 0x000007FEF0240000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:42:59,313 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:59,313 [root] DEBUG: DLL loaded at 0x000007FEF9810000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:42:59,329 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:59,345 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:42:59,548 [root] DEBUG: DLL loaded at 0x000007FEF4C80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:42:59,579 [root] DEBUG: DLL loaded at 0x000007FEF35C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:42:59,595 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:42:59,673 [root] DEBUG: DLL loaded at 0x000007FEF0020000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:42:59,688 [root] DEBUG: DLL loaded at 0x000007FEF9C30000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:42:59,720 [root] DEBUG: DLL loaded at 0x000007FEEFF00000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:42:59,736 [root] DEBUG: DLL loaded at 0x000007FEF8840000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:42:59,736 [root] DEBUG: DLL loaded at 0x000007FEFD070000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:42:59,750 [root] DEBUG: DLL loaded at 0x000007FEF4870000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:00,032 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:00,048 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:00,125 [root] DEBUG: DLL loaded at 0x000007FEEFD70000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:00,328 [root] DEBUG: DLL loaded at 0x000007FEEF6C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:00,344 [root] DEBUG: DLL loaded at 0x000007FEEF550000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:00,359 [root] DEBUG: DLL loaded at 0x000007FEEF3B0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:00,453 [root] DEBUG: DLL loaded at 0x000007FEFACE0000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:01,186 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:01,374 [root] DEBUG: DLL loaded at 0x000007FEEEB60000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:01,388 [root] DEBUG: DLL loaded at 0x000000001D0A0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:43:01,420 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:43:01,436 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:43:01,451 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:43:01,451 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:43:01,809 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:43:01,966 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:43:02,091 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2792
2019-08-13 23:43:02,091 [root] DEBUG: GetHookCallerBase: thread 2796 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:43:02,107 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:43:02,107 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:43:02,107 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:43:02,154 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2792_4968107101238114382019
2019-08-13 23:43:02,154 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:43:02,168 [root] DEBUG: DLL loaded at 0x000007FEFB190000: C:\Windows\system32\netutils (0xc000 bytes).
2019-08-13 23:43:02,184 [root] DEBUG: DLL unloaded from 0x000007FEFBDB0000.
2019-08-13 23:43:02,184 [root] DEBUG: DLL unloaded from 0x0000000077460000.
2019-08-13 23:43:02,200 [root] DEBUG: DLL unloaded from 0x000007FEF29E0000.
2019-08-13 23:43:02,200 [root] DEBUG: DLL unloaded from 0x000007FEF98C0000.
2019-08-13 23:43:02,216 [root] DEBUG: DLL unloaded from 0x000007FEFC700000.
2019-08-13 23:43:02,232 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:43:02,232 [root] INFO: Notified of termination of process with pid 2792.
2019-08-13 23:43:02,246 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2296
2019-08-13 23:43:02,263 [root] DEBUG: GetHookCallerBase: thread 2300 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:43:02,263 [root] INFO: Process with pid 2792 has terminated
2019-08-13 23:43:02,278 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:43:02,278 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:43:02,293 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:43:02,309 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:43:02,355 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2296_1498096822223114382019
2019-08-13 23:43:02,371 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:43:02,371 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:43:02,388 [root] INFO: Notified of termination of process with pid 2296.
2019-08-13 23:43:02,496 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2996
2019-08-13 23:43:02,512 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:43:02,512 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:43:02,528 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:43:02,528 [root] DEBUG: Loader: Injecting process 2996 (thread 2244) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:02,543 [root] DEBUG: Process image base: 0x00000000FF650000
2019-08-13 23:43:02,543 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:02,543 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF65B000 - 0x000007FEFF9A0000
2019-08-13 23:43:02,575 [root] DEBUG: InjectDllViaIAT: Allocated 0x20c bytes for new import table at 0x00000000FF660000.
2019-08-13 23:43:02,575 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:43:02,575 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:02,589 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2996
2019-08-13 23:43:02,589 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:43:02,605 [root] DEBUG: Process dumps enabled.
2019-08-13 23:43:02,605 [root] INFO: Disabling sleep skipping.
2019-08-13 23:43:02,621 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:43:02,621 [root] WARNING: Unable to hook LockResource
2019-08-13 23:43:02,621 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:43:02,621 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2996 at 0x00000000746A0000, image base 0x00000000FF650000, stack from 0x0000000000195000-0x00000000001A0000
2019-08-13 23:43:02,637 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2019-08-13 23:43:02,637 [root] INFO: Added new process to list with pid: 2996
2019-08-13 23:43:02,637 [root] INFO: Monitor successfully loaded in process with pid 2996.
2019-08-13 23:43:02,637 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1448
2019-08-13 23:43:02,637 [root] DEBUG: set_caller_info: Adding region at 0x0000000010000000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:43:02,653 [root] DEBUG: GetHookCallerBase: thread 840 (handle 0x0), return address 0x046690EF, allocation base 0x04640000.
2019-08-13 23:43:02,653 [root] DEBUG: set_caller_info: Adding region at 0x00000000002C0000 to caller regions list (ntdll::LdrLoadDll).
2019-08-13 23:43:02,653 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 23:43:02,653 [root] DEBUG: DLL loaded at 0x000007FEFCFE0000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-08-13 23:43:02,653 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:43:02,667 [root] DEBUG: DLL loaded at 0x000007FEFCFB0000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-08-13 23:43:02,667 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:43:02,667 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:43:02,684 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:43:02,684 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\1448_1001574412223114382019
2019-08-13 23:43:02,684 [root] DEBUG: DLL loaded at 0x000007FEFE4E0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-08-13 23:43:02,684 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82600.
2019-08-13 23:43:02,700 [root] DEBUG: DLL loaded at 0x000007FEFEA80000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-08-13 23:43:02,700 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x04640000.
2019-08-13 23:43:02,700 [root] DEBUG: DLL loaded at 0x000007FEFC920000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:43:02,700 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\CAMuQTV\CAPE\1448_1573255720223114382019
2019-08-13 23:43:02,700 [root] DEBUG: DLL loaded at 0x000007FEFD590000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:43:02,700 [root] DEBUG: DLL loaded at 0x000007FEFB440000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-08-13 23:43:02,714 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:43:02,714 [root] DEBUG: DLL loaded at 0x000007FEFB400000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-08-13 23:43:02,714 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\1448_1573255720223114382019
2019-08-13 23:43:02,730 [root] DEBUG: DumpRegion: Dumped stack region from 0x04640000, size 0x2c000.
2019-08-13 23:43:02,730 [root] DEBUG: DLL loaded at 0x000007FEF4480000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-08-13 23:43:02,730 [root] DEBUG: DLL unloaded from 0x74920000.
2019-08-13 23:43:02,730 [root] DEBUG: DLL loaded at 0x000007FEF4410000: C:\Windows\system32\webio (0x64000 bytes).
2019-08-13 23:43:02,730 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-08-13 23:43:02,746 [root] DEBUG: DLL unloaded from 0x74C10000.
2019-08-13 23:43:02,746 [root] INFO: Notified of termination of process with pid 1448.
2019-08-13 23:43:02,762 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:43:02,778 [root] DEBUG: set_caller_info: Adding region at 0x0000000000120000 to caller regions list (ntdll::NtOpenFile).
2019-08-13 23:43:02,778 [root] DEBUG: DLL unloaded from 0x0000000077460000.
2019-08-13 23:43:02,792 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\cryptsp (0x17000 bytes).
2019-08-13 23:43:02,792 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\credssp (0xa000 bytes).
2019-08-13 23:43:02,809 [root] DEBUG: DLL unloaded from 0x000007FEFCE60000.
2019-08-13 23:43:03,135 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:43:03,292 [root] INFO: Process with pid 1448 has terminated
2019-08-13 23:43:03,292 [root] INFO: Process with pid 2296 has terminated
2019-08-13 23:43:03,308 [root] DEBUG: DLL loaded at 0x000007FEFB1C0000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-08-13 23:43:03,308 [root] DEBUG: set_caller_info: Adding region at 0x0000000000350000 to caller regions list (advapi32::CryptAcquireContextW).
2019-08-13 23:43:03,338 [root] DEBUG: DLL unloaded from 0x000007FEFE5F0000.
2019-08-13 23:43:03,417 [root] INFO: Announced starting service "KeyIso"
2019-08-13 23:43:03,417 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2019-08-13 23:43:03,417 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:43:03,433 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:43:03,433 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:43:03,433 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:03,447 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 23:43:03,447 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:43:03,447 [root] DEBUG: Process dumps enabled.
2019-08-13 23:43:03,447 [root] INFO: Disabling sleep skipping.
2019-08-13 23:43:03,463 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:43:03,463 [root] WARNING: Unable to hook LockResource
2019-08-13 23:43:03,480 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 464 at 0x00000000746A0000, image base 0x00000000FFAB0000, stack from 0x0000000002866000-0x0000000002870000
2019-08-13 23:43:03,480 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-08-13 23:43:03,480 [root] INFO: Added new process to list with pid: 464
2019-08-13 23:43:03,480 [root] INFO: Monitor successfully loaded in process with pid 464.
2019-08-13 23:43:03,494 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:43:03,494 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:43:03,494 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:04,525 [root] INFO: Announced 64-bit process name: lsass.exe pid: 2108
2019-08-13 23:43:04,539 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 23:43:04,539 [lib.api.process] INFO: 64-bit DLL to inject is C:\iatizuh\dll\tfGslHs.dll, loader C:\iatizuh\bin\ONStHXkX.exe
2019-08-13 23:43:04,539 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LRQQUCSjJ.
2019-08-13 23:43:04,539 [root] DEBUG: Loader: Injecting process 2108 (thread 2104) with C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:04,555 [root] DEBUG: Process image base: 0x00000000FF040000
2019-08-13 23:43:04,555 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:04,555 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF04C000 - 0x000007FEFF9A0000
2019-08-13 23:43:04,555 [root] DEBUG: InjectDllViaIAT: Allocated 0x2a0 bytes for new import table at 0x00000000FF050000.
2019-08-13 23:43:04,572 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:43:04,572 [root] DEBUG: Successfully injected DLL C:\iatizuh\dll\tfGslHs.dll.
2019-08-13 23:43:04,572 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2108
2019-08-13 23:43:04,586 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 23:43:04,586 [root] DEBUG: Process dumps enabled.
2019-08-13 23:43:04,586 [root] INFO: Disabling sleep skipping.
2019-08-13 23:43:04,602 [root] WARNING: Unable to place hook on LockResource
2019-08-13 23:43:04,602 [root] WARNING: Unable to hook LockResource
2019-08-13 23:43:04,602 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 23:43:04,618 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2108 at 0x00000000746A0000, image base 0x00000000FF040000, stack from 0x00000000001D4000-0x00000000001E0000
2019-08-13 23:43:04,618 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2019-08-13 23:43:04,618 [root] INFO: Added new process to list with pid: 2108
2019-08-13 23:43:04,618 [root] INFO: Monitor successfully loaded in process with pid 2108.
2019-08-13 23:43:37,783 [root] INFO: Notified of termination of process with pid 2108.
2019-08-13 23:43:37,783 [root] DEBUG: Terminate Event: Attempting to dump process 2108
2019-08-13 23:43:37,831 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:37,831 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:37,924 [root] INFO: Process with pid 2108 has terminated
2019-08-13 23:43:38,782 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:38,782 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2996
2019-08-13 23:43:38,782 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:38,782 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:38,859 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:38,859 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:38,891 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:39,780 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:39,780 [root] DEBUG: GetHookCallerBase: thread 2244 (handle 0x0), return address 0x00000000100134BF, allocation base 0x0000000010000000.
2019-08-13 23:43:39,780 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:39,780 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:39,780 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:39,780 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:39,858 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:40,779 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:40,779 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:40,779 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000010000000.
2019-08-13 23:43:40,779 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:40,779 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:40,779 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:40,809 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:40,809 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:41,778 [root] DEBUG: DLL loaded at 0x000007FEF8C60000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:43:41,778 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:41,778 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:41,792 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:42,792 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:42,792 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:42,792 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:42,838 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:43,134 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000010000000.
2019-08-13 23:43:43,134 [root] DEBUG: DLL loaded at 0x000007FEFB620000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:43:43,134 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RC1D4LVLLPHF4JLIY649.temp'
2019-08-13 23:43:43,150 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\T7V0WOC5SR5UKDDR9XBF.temp'
2019-08-13 23:43:43,181 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:43,197 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:43,213 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JSIOMX2AUKPJXQKO0IM9.temp'
2019-08-13 23:43:43,213 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\T7V0WOC5SR5UKDDR9XBF.temp'
2019-08-13 23:43:43,243 [root] DEBUG: DLL loaded at 0x000007FEFCE60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:43:43,259 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:43,259 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:43,259 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RC1D4LVLLPHF4JLIY649.temp'
2019-08-13 23:43:43,275 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\NUPIUSV1H5G4IOC78A6W.temp'
2019-08-13 23:43:43,275 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000003460.
2019-08-13 23:43:43,290 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,290 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YEQP9L800OMYB0C7IBFI.temp'
2019-08-13 23:43:43,290 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GCWICGGM3CAS6IDT43DP.temp'
2019-08-13 23:43:43,290 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,290 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JSIOMX2AUKPJXQKO0IM9.temp'
2019-08-13 23:43:43,290 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\NUPIUSV1H5G4IOC78A6W.temp'
2019-08-13 23:43:43,305 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YEQP9L800OMYB0C7IBFI.temp'
2019-08-13 23:43:43,305 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GCWICGGM3CAS6IDT43DP.temp'
2019-08-13 23:43:43,305 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\T7V0WOC5SR5UKDDR9XBF.temp'
2019-08-13 23:43:43,305 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:43:43,305 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,322 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,322 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4143.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFbd4143.TMP'
2019-08-13 23:43:43,338 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2996_12047084191224114382019
2019-08-13 23:43:43,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RC1D4LVLLPHF4JLIY649.temp'
2019-08-13 23:43:43,338 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,338 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:43:43,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YEQP9L800OMYB0C7IBFI.temp'
2019-08-13 23:43:43,338 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JSIOMX2AUKPJXQKO0IM9.temp'
2019-08-13 23:43:43,352 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4152.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFbd4152.TMP'
2019-08-13 23:43:43,368 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\NUPIUSV1H5G4IOC78A6W.temp'
2019-08-13 23:43:43,368 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3PR67G7BXZV0GRCWG1LH.temp'
2019-08-13 23:43:43,368 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1be00.
2019-08-13 23:43:43,368 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,368 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GCWICGGM3CAS6IDT43DP.temp'
2019-08-13 23:43:43,384 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\L74ZL1KUYRC508AYO5ZL.temp'
2019-08-13 23:43:43,384 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4163.TMP" does not exist, skip.
2019-08-13 23:43:43,384 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3PR67G7BXZV0GRCWG1LH.temp'
2019-08-13 23:43:43,384 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,400 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\L74ZL1KUYRC508AYO5ZL.temp'
2019-08-13 23:43:43,400 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4162.TMP" does not exist, skip.
2019-08-13 23:43:43,400 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,415 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4182.TMP" does not exist, skip.
2019-08-13 23:43:43,430 [root] DEBUG: DLL unloaded from 0x000007FEFCA70000.
2019-08-13 23:43:43,430 [root] DEBUG: DLL unloaded from 0x000007FEFDC60000.
2019-08-13 23:43:43,447 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4181.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFbd4181.TMP'
2019-08-13 23:43:43,447 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,461 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,461 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,477 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp" does not exist, skip.
2019-08-13 23:43:43,477 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3PR67G7BXZV0GRCWG1LH.temp'
2019-08-13 23:43:43,477 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,493 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\L74ZL1KUYRC508AYO5ZL.temp'
2019-08-13 23:43:43,493 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp" does not exist, skip.
2019-08-13 23:43:43,509 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:43,509 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41bf.TMP" does not exist, skip.
2019-08-13 23:43:43,509 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,509 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:43:43,509 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,509 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,525 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:43,525 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41df.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFbd41df.TMP'
2019-08-13 23:43:43,555 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,555 [root] INFO: Notified of termination of process with pid 2996.
2019-08-13 23:43:43,555 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:43,555 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp" does not exist, skip.
2019-08-13 23:43:43,555 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:43,572 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,572 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:43:43,572 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:43,572 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,586 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp" does not exist, skip.
2019-08-13 23:43:43,586 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:43,586 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,618 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp" does not exist, skip.
2019-08-13 23:43:43,634 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,634 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:43,634 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp" does not exist, skip.
2019-08-13 23:43:43,634 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,664 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:43,773 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp" does not exist, skip.
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x000007FEF7B80000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:43:43,773 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,789 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp" does not exist, skip.
2019-08-13 23:43:43,805 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:43,805 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:43,821 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,821 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp" does not exist, skip.
2019-08-13 23:43:43,821 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:43,821 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:43,821 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:43,836 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,836 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:43,851 [root] DEBUG: DLL loaded at 0x000007FEF2D10000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:43:43,914 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,914 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:43,930 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:43,930 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:43,930 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:43,946 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:43,976 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:43,976 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:44,101 [root] INFO: Process with pid 2996 has terminated
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x0000000074B40000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:43:44,242 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:44,242 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,257 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,257 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:44,257 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:44,257 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:44,257 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,289 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:44,289 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:44,289 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,319 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:44,335 [root] DEBUG: DLL loaded at 0x000007FEF1E30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-08-13 23:43:44,335 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:44,335 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:44,335 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:44,351 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:44,351 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,367 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:44,367 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:44,367 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:44,367 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:44,382 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:44,398 [root] DEBUG: DLL loaded at 0x000007FEF1400000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-08-13 23:43:44,398 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:44,398 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:44,414 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:44,414 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:44,414 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:44,430 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:44,430 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:44,444 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:44,444 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:44,444 [root] DEBUG: DLL unloaded from 0x000007FEFDD60000.
2019-08-13 23:43:44,444 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:44,444 [root] DEBUG: DLL loaded at 0x000007FEF7A30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-08-13 23:43:44,492 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,492 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:44,492 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:44,507 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:44,507 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,507 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:44,507 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:44,507 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:44,523 [root] DEBUG: DLL loaded at 0x000007FEF08A0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-08-13 23:43:44,523 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,553 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:44,553 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,553 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:44,569 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,601 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:44,601 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:44,601 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,601 [root] DEBUG: DLL loaded at 0x000007FEFC730000: C:\Windows\system32\version (0xc000 bytes).
2019-08-13 23:43:44,617 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,617 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:44,648 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,664 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:44,664 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,664 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,664 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,678 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:44,710 [root] DEBUG: DLL loaded at 0x000007FEF0570000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-08-13 23:43:44,710 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:44,710 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:44,710 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:44,710 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:44,710 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,726 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,726 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:44,742 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,742 [root] DEBUG: DLL loaded at 0x000007FEF98F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-08-13 23:43:44,756 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:44,756 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:44,788 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:44,788 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:44,803 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-08-13 23:43:45,053 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:45,053 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:45,053 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:45,053 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:45,053 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:45,053 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:45,069 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:45,069 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:45,085 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:45,085 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:45,085 [root] DEBUG: DLL loaded at 0x000007FEF3CA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-08-13 23:43:45,085 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:45,085 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:45,099 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:45,115 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:45,115 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:45,131 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:45,147 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:45,163 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:45,177 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:45,177 [root] DEBUG: DLL loaded at 0x000007FEF0480000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-08-13 23:43:45,177 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:45,177 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:45,194 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:45,194 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:45,194 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:45,210 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:45,224 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:45,224 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:45,224 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-08-13 23:43:45,240 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:45,272 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:45,272 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:45,302 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:45,302 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:45,319 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:45,381 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:45,381 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:45,474 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:45,474 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:45,490 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:45,490 [root] DEBUG: DLL loaded at 0x000007FEF0260000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-08-13 23:43:45,490 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:45,490 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:45,490 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:45,490 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:45,506 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:45,506 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:45,506 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:45,506 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:45,536 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:45,536 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:45,552 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:45,568 [root] DEBUG: DLL loaded at 0x000007FEF0140000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-08-13 23:43:45,568 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:45,584 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:45,599 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:45,943 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:46,302 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:46,302 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:46,302 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:46,302 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-08-13 23:43:46,302 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:46,302 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:46,332 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:46,332 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:46,332 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:46,332 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:46,332 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:46,348 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:46,348 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-08-13 23:43:46,380 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:46,426 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:46,457 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:46,457 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:46,473 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:46,473 [root] DEBUG: DLL loaded at 0x000000001CFD0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:43:46,473 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:46,473 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:46,473 [root] DEBUG: DLL loaded at 0x000000001D070000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:43:46,473 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-08-13 23:43:46,489 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:46,503 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:46,503 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:46,503 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:46,536 [root] DEBUG: DLL loaded at 0x000000001CF50000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:43:46,536 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:46,536 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:43:46,551 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:43:46,551 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:46,551 [root] DEBUG: DLL loaded at 0x000007FEEFFB0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-08-13 23:43:46,551 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:46,582 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:46,582 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:46,598 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:43:46,598 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:43:46,614 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:46,614 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:46,614 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:43:46,614 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:46,614 [root] DEBUG: DLL loaded at 0x000007FEEF900000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-08-13 23:43:46,628 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:43:46,815 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:46,815 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:46,815 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:46,910 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:43:47,082 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:43:47,082 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEEF790000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:47,269 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:47,456 [root] DEBUG: DLL loaded at 0x000007FEEF5F0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-08-13 23:43:47,517 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:43:47,595 [root] DEBUG: DLL loaded at 0x000007FEFBF70000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-08-13 23:43:47,690 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:59,483 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:43:59,499 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:59,499 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:59,499 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:43:59,546 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:43:59,546 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:43:59,576 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:43:59,608 [root] DEBUG: DLL loaded at 0x000000001D090000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:44:07,502 [root] DEBUG: DLL loaded at 0x000000001CFF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:44:07,502 [root] DEBUG: DLL loaded at 0x000000001D010000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:44:07,502 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:07,532 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:07,532 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:44:07,549 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:07,549 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:13,492 [root] DEBUG: DLL loaded at 0x000007FEFD180000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-08-13 23:44:13,492 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:44:13,492 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:44:13,492 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:13,507 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:13,507 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:44:13,555 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:13,555 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:44:19,497 [root] DEBUG: DLL loaded at 0x000000001D0F0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:44:19,497 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:44:19,497 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:19,497 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:44:19,513 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:44:19,513 [root] DEBUG: DLL loaded at 0x000000001D020000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:44:19,529 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:44:19,561 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:44:21,260 [root] DEBUG: DLL loaded at 0x000007FEEEDA0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-08-13 23:44:21,260 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:44:21,260 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:21,260 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:44:21,417 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:44:21,417 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:21,417 [root] DEBUG: DLL unloaded from 0x000007FEF8840000.
2019-08-13 23:44:21,417 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:44:21,433 [root] DEBUG: DLL loaded at 0x000000001D130000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-08-13 23:44:21,433 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:44:21,447 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:44:21,447 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2208
2019-08-13 23:44:21,463 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:21,463 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2064
2019-08-13 23:44:21,463 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:44:21,480 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:44:21,510 [root] DEBUG: GetHookCallerBase: thread 2276 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,572 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:44:21,572 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:44:21,572 [root] DEBUG: GetHookCallerBase: thread 2072 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,572 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:21,588 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2532
2019-08-13 23:44:21,588 [root] DEBUG: DLL unloaded from 0x000007FEFEA80000.
2019-08-13 23:44:21,635 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:21,635 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:21,651 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,651 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,651 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:21,667 [root] DEBUG: DLL unloaded from 0x000007FEF8840000.
2019-08-13 23:44:21,667 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:44:21,667 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:44:21,681 [root] DEBUG: GetHookCallerBase: thread 2536 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,681 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:21,697 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:21,697 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:21,697 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:21,697 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:44:21,729 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:44:21,729 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2624
2019-08-13 23:44:21,729 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,729 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:21,729 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:21,759 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:44:21,806 [root] DEBUG: GetHookCallerBase: thread 2648 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,806 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:21,838 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:21,854 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:44:21,854 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,869 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:21,869 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:21,869 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2588
2019-08-13 23:44:21,884 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2044
2019-08-13 23:44:21,915 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2208_14182679354124114382019
2019-08-13 23:44:21,931 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2972
2019-08-13 23:44:21,931 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:21,947 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00240000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:21,947 [root] DEBUG: GetHookCallerBase: thread 2608 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,947 [root] DEBUG: GetHookCallerBase: thread 2556 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,947 [root] DEBUG: GetHookCallerBase: thread 2988 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:21,947 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2532_14219484764124114382019
2019-08-13 23:44:21,963 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,979 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2064_17558431384124114382019
2019-08-13 23:44:21,979 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:21,979 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:21,979 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,979 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-08-13 23:44:21,979 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:21,979 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:21,993 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:21,993 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,009 [root] INFO: Notified of termination of process with pid 2208.
2019-08-13 23:44:22,026 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:22,026 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00240000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-08-13 23:44:22,026 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:22,026 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1316
2019-08-13 23:44:22,026 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:22,040 [root] INFO: Notified of termination of process with pid 2064.
2019-08-13 23:44:22,040 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2624_223238386125114382019
2019-08-13 23:44:22,040 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:22,056 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:22,056 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2512
2019-08-13 23:44:22,056 [root] DEBUG: GetHookCallerBase: thread 2388 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:22,056 [root] INFO: Notified of termination of process with pid 2532.
2019-08-13 23:44:22,072 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2580
2019-08-13 23:44:22,072 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,088 [root] DEBUG: GetHookCallerBase: thread 2520 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,088 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 560
2019-08-13 23:44:22,088 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:22,104 [root] DEBUG: GetHookCallerBase: thread 2584 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,104 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2588_1644962851225114382019
2019-08-13 23:44:22,104 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1312
2019-08-13 23:44:22,104 [root] DEBUG: DLL unloaded from 0x000007FEFBDB0000.
2019-08-13 23:44:22,118 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,118 [root] DEBUG: GetHookCallerBase: thread 320 (handle 0x0), return address 0x000000013F33C504, allocation base 0x000000013F330000.
2019-08-13 23:44:22,118 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:22,118 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,118 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2044_1639388800225114382019
2019-08-13 23:44:22,118 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2972_1506508376225114382019
2019-08-13 23:44:22,118 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,118 [root] DEBUG: GetHookCallerBase: thread 332 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,134 [root] DEBUG: DLL unloaded from 0x0000000077460000.
2019-08-13 23:44:22,134 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,134 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000013F330000.
2019-08-13 23:44:22,134 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:22,134 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,134 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,150 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,150 [root] DEBUG: DLL unloaded from 0x000007FEF2D10000.
2019-08-13 23:44:22,150 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,150 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,150 [root] DEBUG: DLL unloaded from 0x000007FEFBDB0000.
2019-08-13 23:44:22,150 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F330000.
2019-08-13 23:44:22,150 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,165 [root] INFO: Notified of termination of process with pid 2044.
2019-08-13 23:44:22,165 [root] DEBUG: DLL unloaded from 0x000007FEF7B80000.
2019-08-13 23:44:22,165 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,181 [root] DEBUG: DLL unloaded from 0x0000000077460000.
2019-08-13 23:44:22,181 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,181 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:44:22,181 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\1316_1788887460225114382019
2019-08-13 23:44:22,181 [root] INFO: Notified of termination of process with pid 2972.
2019-08-13 23:44:22,181 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,197 [root] DEBUG: DLL unloaded from 0x000007FEFC700000.
2019-08-13 23:44:22,197 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2948
2019-08-13 23:44:22,197 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,197 [root] DEBUG: DLL unloaded from 0x000007FEF2D10000.
2019-08-13 23:44:22,213 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,213 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2392
2019-08-13 23:44:22,213 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:44:22,227 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,227 [root] DEBUG: GetHookCallerBase: thread 2952 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,227 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,227 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2512_13980776602224114382019
2019-08-13 23:44:22,227 [root] DEBUG: DLL unloaded from 0x000007FEF7B80000.
2019-08-13 23:44:22,243 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\560_1276111523225114382019
2019-08-13 23:44:22,243 [root] INFO: Notified of termination of process with pid 1316.
2019-08-13 23:44:22,243 [root] DEBUG: GetHookCallerBase: thread 2400 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,243 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,243 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,259 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:44:22,259 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:44:22,259 [root] DEBUG: DLL unloaded from 0x000007FEFC700000.
2019-08-13 23:44:22,259 [root] INFO: Notified of termination of process with pid 2624.
2019-08-13 23:44:22,259 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:44:22,275 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2240
2019-08-13 23:44:22,275 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,275 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,290 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:44:22,290 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,290 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,290 [root] INFO: Notified of termination of process with pid 2580.
2019-08-13 23:44:22,305 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2732
2019-08-13 23:44:22,305 [root] DEBUG: GetHookCallerBase: thread 2260 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,305 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,322 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,322 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,338 [root] INFO: Notified of termination of process with pid 560.
2019-08-13 23:44:22,338 [root] DEBUG: GetHookCallerBase: thread 2488 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,338 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,338 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,352 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,352 [root] INFO: Notified of termination of process with pid 2512.
2019-08-13 23:44:22,352 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2408
2019-08-13 23:44:22,352 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,368 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,368 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,368 [root] INFO: Notified of termination of process with pid 2588.
2019-08-13 23:44:22,384 [root] DEBUG: GetHookCallerBase: thread 1464 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,384 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,384 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,400 [root] INFO: Notified of termination of process with pid 1312.
2019-08-13 23:44:22,400 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,400 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2928
2019-08-13 23:44:22,400 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,400 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2948_9284158342224114382019
2019-08-13 23:44:22,415 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,415 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,430 [root] DEBUG: GetHookCallerBase: thread 2932 (handle 0x0), return address 0x000000004AB187DD, allocation base 0x000000004AB10000.
2019-08-13 23:44:22,430 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2392_14497931372224114382019
2019-08-13 23:44:22,430 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,430 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:44:22,461 [root] INFO: Process with pid 1312 has terminated
2019-08-13 23:44:22,461 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,461 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x000000004AB10000.
2019-08-13 23:44:22,461 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:44:22,477 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:44:22,477 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,477 [root] INFO: Process with pid 2532 has terminated
2019-08-13 23:44:22,493 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2240_11041281442224114382019
2019-08-13 23:44:22,493 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,493 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004AB10000.
2019-08-13 23:44:22,509 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,509 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,509 [root] INFO: Process with pid 2064 has terminated
2019-08-13 23:44:22,509 [root] INFO: Notified of termination of process with pid 2948.
2019-08-13 23:44:22,525 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:44:22,525 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:44:22,525 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:44:22,539 [root] INFO: Process with pid 2588 has terminated
2019-08-13 23:44:22,539 [root] INFO: Notified of termination of process with pid 2392.
2019-08-13 23:44:22,555 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,555 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:44:22,555 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:44:22,555 [root] INFO: Process with pid 2972 has terminated
2019-08-13 23:44:22,572 [root] INFO: Notified of termination of process with pid 2732.
2019-08-13 23:44:22,572 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,586 [root] INFO: Process with pid 2512 has terminated
2019-08-13 23:44:22,586 [root] INFO: Notified of termination of process with pid 2240.
2019-08-13 23:44:22,602 [root] INFO: Process with pid 2208 has terminated
2019-08-13 23:44:22,602 [root] INFO: Notified of termination of process with pid 2408.
2019-08-13 23:44:22,618 [root] INFO: Process with pid 560 has terminated
2019-08-13 23:44:22,618 [root] INFO: Added new CAPE file to list with path: C:\CAMuQTV\CAPE\2928_7141532882224114382019
2019-08-13 23:44:22,618 [root] INFO: Process with pid 2624 has terminated
2019-08-13 23:44:22,634 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:44:22,650 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2019-08-13 23:44:22,664 [root] INFO: Notified of termination of process with pid 2928.
2019-08-13 23:44:23,648 [root] INFO: Process with pid 2580 has terminated
2019-08-13 23:44:23,648 [root] INFO: Process with pid 2392 has terminated
2019-08-13 23:44:23,664 [root] INFO: Process with pid 2044 has terminated
2019-08-13 23:44:23,678 [root] INFO: Process with pid 2732 has terminated
2019-08-13 23:44:23,678 [root] INFO: Process with pid 1316 has terminated
2019-08-13 23:44:24,709 [root] INFO: Process with pid 2928 has terminated
2019-08-13 23:44:24,709 [root] INFO: Process with pid 2408 has terminated
2019-08-13 23:44:25,737 [root] INFO: Process with pid 2948 has terminated
2019-08-13 23:44:26,752 [root] INFO: Process with pid 2240 has terminated
2019-08-13 23:46:49,773 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 23:46:49,773 [root] INFO: Created shutdown mutex.
2019-08-13 23:46:50,788 [root] INFO: Shutting down package.
2019-08-13 23:46:50,788 [root] INFO: Stopping auxiliary modules.
2019-08-13 23:46:50,788 [root] INFO: Finishing auxiliary modules.
2019-08-13 23:46:50,788 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 23:46:50,802 [root] WARNING: File at path "C:\CAMuQTV\debugger" does not exist, skip.
2019-08-13 23:46:50,802 [root] INFO: Analysis completed.

MalScore

10.0

TrickBot

Machine

Name Label Manager Started On Shutdown On
target-03 target-03 ESX 2019-08-13 22:42:50 2019-08-13 22:47:04

File Details

File Name a7e934bb1f865514da83d76fed0eb759d618d7cfe030bcad356faaa6f8ebbd87
File Size 675606 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 46979268bea4f083f5d64c624d7f5efe
SHA1 efeb765dfe7d32c1ce620be6ab5397b782802ea7
SHA256 a7e934bb1f865514da83d76fed0eb759d618d7cfe030bcad356faaa6f8ebbd87
SHA512 55c85db35a1338cc2b7e1ff8b942d0e9638318de2c2db7ca1c0a82fddb2adbbc2e3894b4442868e46385ba273611771bf69fccd190baa75e2aaa6520deaa325e
CRC32 2827F1C6
Ssdeep 12288:AS+KbqpaOuUNkAE+e00SFxEKBnLKGP0ZZuBEJFBsM0Nb:ASlAaOuqkAFe00/0+GPsZOVM0Nb
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEEPWD20EEZLNL9EWFZ2.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\26K5T2YTXINFI35VOD4C.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2996 trigged the Yara rule 'TrickBot'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: HNSEfLxEppqeUq.exe, PID 1420
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2532.12403182
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2532.12403182
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2532.12403182
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2792.13248285
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2792.13248285
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2792.13248301
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2064.12403260
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2064.12403260
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2064.12403260
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2588.12403541
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2588.12403541
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2588.12403541
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2972.12403635
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2972.12403635
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2972.12403650
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2044.12403697
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2044.12403697
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2044.12403697
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2208.12403323
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2208.12403323
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2208.12403323
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41bf.TMP
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.560.12403962
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.560.12403978
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.560.12403978
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2624.12403510
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2624.12403510
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2624.12403510
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1316.12403993
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1316.12403993
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1316.12403993
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: RPCRT4.dll/UuidFromStringW
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/StartServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
A process created a hidden window
Process: HNSEfLxEppqeUq.exe -> C:\ProgramData\\xd0\x9e\xd0\x9b\xd0\xba\xd0\x90\xd0\xb5\xd1\x81\xd0\xbc\xd0\xab\xd1\x84\xd1\x86.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
Process: ОЛкАесмЫфц.exe -> cmd.exe
A scripting utility was executed
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: powershell Set-MpPreference -DisableIOAVProtection $true
command: powershell Set-MpPreference -DisablePrivacyMode $true
command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: powershell Set-MpPreference -SevereThreatDefaultAction 6
command: powershell Set-MpPreference -LowThreatDefaultAction 6
command: powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: powershell Set-MpPreference -DisableScriptScanning $true
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: sc stop WinDefend
command: sc delete WinDefend
Attempts to stop active services
servicename: WinDefend
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: powershell.exe (2208) called API NtYieldExecution 278939 times
Spoofs its process name and/or associated pathname to appear as a legitimate process
original_path: C:\Windows\system32\svchost.exe
original_name: svchost.exe
modified_name: svchost.exe
modified_path: C:\ProgramData\\xd0\x9e\xd0\x9b\xd0\xba\xd0\x90\xd0\xb5\xd1\x81\xd0\xbc\xd0\xab\xd1\x84\xd1\x86.exe
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4152.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4162.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4182.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4181.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4143.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41bf.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4163.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41df.TMP
CAPE detected the TrickBot malware family
Creates a copy of itself
copy: C:\ProgramData\\xd0\x9e\xd0\x9b\xd0\xba\xd0\x90\xd0\xb5\xd1\x81\xd0\xbc\xd0\xab\xd1\x84\xd1\x86.exe
Attempts to disable Windows Defender

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\HNSEfLxEppqeUq.exe
C:\ProgramData\\xd0\x9e\xd0\x9b\xd0\xba\xd0\x90\xd0\xb5\xd1\x81\xd0\xbc\xd0\xab\xd1\x84\xd1\x86.exe
\??\MountPointManager
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\sc.*
C:\Users\user\AppData\Local\Temp\sc
C:\Windows\sysnative\sc.*
C:\Windows\sysnative\sc.COM
C:\Windows\sysnative\sc.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\powershell.*
C:\Users\user\AppData\Local\Temp\powershell
C:\Windows\sysnative\powershell.*
C:\Windows\sysnative\powershell
C:\Windows\powershell.*
C:\Windows\powershell
C:\Windows\sysnative\wbem\powershell.*
C:\Windows\sysnative\wbem\powershell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.COM
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\sc.exe.mui
\Device\KsecDD
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
::\
::\{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
::\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::\{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
::\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\Desktop
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\DosDevices\pipe\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\
C:\Windows\sysnative\windowspowershell\v1.0\powershell_ise.exe
C:\Windows\sysnative\windowspowershell
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\
C:\Windows\hh.exe
C:\Windows\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEEPWD20EEZLNL9EWFZ2.temp
C:\Windows\sysnative\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.Local\
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\OLEAUT32.dll
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.config
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
C:\Windows\sysnative\l_intl.nls
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI
C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni.dll
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
C:\Windows\Globalization\en.nlp
C:\Windows\assembly\GAC_64\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni.dll
C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI
C:\Windows\assembly\GAC_64\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\System.Management.Automation.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\System.Management.Automation.resources\System.Management.Automation.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\sysnative\tzres.dll
C:\Windows\assembly\GAC_64\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.WSMan.Management.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.WSMan.Management.resources\Microsoft.WSMan.Management.resources.exe
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\secur32.dll
C:\Windows\assembly\GAC_64\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\assembly\GAC\Microsoft.PowerShell.Security.resources\1.0.0.0_en-US_31bf3856ad364e35
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.resources\Microsoft.PowerShell.Security.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni.dll
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\profile.ps1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
C:\Users\user\Documents\WindowsPowerShell\profile.ps1
C:\Users\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
C:\Windows\sysnative\Set-MpPreference.ps1
C:\Windows\sysnative\Set-MpPreference.psm1
C:\Windows\sysnative\Set-MpPreference.psd1
C:\Windows\sysnative\Set-MpPreference.COM
C:\Windows\sysnative\Set-MpPreference.EXE
C:\Windows\sysnative\Set-MpPreference.BAT
C:\Windows\sysnative\Set-MpPreference.CMD
C:\Windows\sysnative\Set-MpPreference.VBS
C:\Windows\sysnative\Set-MpPreference.VBE
C:\Windows\sysnative\Set-MpPreference.JS
C:\Windows\sysnative\Set-MpPreference.JSE
C:\Windows\sysnative\Set-MpPreference.WSF
C:\Windows\sysnative\Set-MpPreference.WSH
C:\Windows\sysnative\Set-MpPreference.MSC
C:\Windows\sysnative\Set-MpPreference
C:\Windows\Set-MpPreference.ps1
C:\Windows\Set-MpPreference.psm1
C:\Windows\Set-MpPreference.psd1
C:\Windows\Set-MpPreference.COM
C:\Windows\Set-MpPreference.EXE
C:\Windows\Set-MpPreference.BAT
C:\Windows\Set-MpPreference.CMD
C:\Windows\Set-MpPreference.VBS
C:\Windows\Set-MpPreference.VBE
C:\Windows\Set-MpPreference.JS
C:\Windows\Set-MpPreference.JSE
C:\Windows\Set-MpPreference.WSF
C:\Windows\Set-MpPreference.WSH
C:\Windows\Set-MpPreference.MSC
C:\Windows\Set-MpPreference
C:\Windows\sysnative\wbem\Set-MpPreference.ps1
C:\Windows\sysnative\wbem\Set-MpPreference.psm1
C:\Windows\sysnative\wbem\Set-MpPreference.psd1
C:\Windows\sysnative\wbem\Set-MpPreference.COM
C:\Windows\sysnative\wbem\Set-MpPreference.EXE
C:\Windows\sysnative\wbem\Set-MpPreference.BAT
C:\Windows\sysnative\wbem\Set-MpPreference.CMD
C:\Windows\sysnative\wbem\Set-MpPreference.VBS
C:\Windows\sysnative\wbem\Set-MpPreference.VBE
C:\Windows\sysnative\wbem\Set-MpPreference.JS
C:\Windows\sysnative\wbem\Set-MpPreference.JSE
C:\Windows\sysnative\wbem\Set-MpPreference.WSF
C:\Windows\sysnative\wbem\Set-MpPreference.WSH
C:\Windows\sysnative\wbem\Set-MpPreference.MSC
C:\Windows\sysnative\wbem\Set-MpPreference
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.ps1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.psm1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.psd1
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.COM
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.EXE
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.BAT
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.CMD
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.VBS
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.VBE
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.JS
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.JSE
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.WSF
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.WSH
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference.MSC
C:\Windows\sysnative\WindowsPowerShell\v1.0\Set-MpPreference
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2532.12403182
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2532.12403182
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2532.12403182
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\26K5T2YTXINFI35VOD4C.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2792.13248285
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2792.13248285
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2792.13248301
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4152.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2064.12403260
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2064.12403260
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2064.12403260
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4162.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2588.12403541
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2588.12403541
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2588.12403541
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4181.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4182.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2972.12403635
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2972.12403635
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2972.12403650
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2044.12403697
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2044.12403697
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2044.12403697
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4143.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2208.12403323
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2208.12403323
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2208.12403323
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41bf.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.560.12403962
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.560.12403978
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.560.12403978
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4163.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2624.12403510
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2624.12403510
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2624.12403510
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41df.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1316.12403993
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1316.12403993
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1316.12403993
C:\Windows\sysnative\data\
C:\Windows\Temp
C:\Users\user\AppData\Local\Temp\HNSEfLxEppqeUq.exe
C:\ProgramData\\xd0\x9e\xd0\x9b\xd0\xba\xd0\x90\xd0\xb5\xd1\x81\xd0\xbc\xd0\xab\xd1\x84\xd1\x86.exe
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\sc.exe.mui
\Device\KsecDD
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\Windows\sysnative\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
\??\PIPE\srvsvc
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEEPWD20EEZLNL9EWFZ2.temp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni.dll
C:\Windows\sysnative\l_intl.nls
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni.dll
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\sysnative\tzres.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\sysnative\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni.dll
C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\26K5T2YTXINFI35VOD4C.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp
C:\ProgramData\\xd0\x9e\xd0\x9b\xd0\xba\xd0\x90\xd0\xb5\xd1\x81\xd0\xbc\xd0\xab\xd1\x84\xd1\x86.exe
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEEPWD20EEZLNL9EWFZ2.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\26K5T2YTXINFI35VOD4C.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4152.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4162.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4181.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4182.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4143.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PR67G7BXZV0GRCWG1LH.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41bf.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd4163.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41df.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEEPWD20EEZLNL9EWFZ2.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2532.12403182
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2532.12403182
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2532.12403182
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\26K5T2YTXINFI35VOD4C.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2792.13248285
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2792.13248285
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2792.13248301
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RC1D4LVLLPHF4JLIY649.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2064.12403260
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2064.12403260
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2064.12403260
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSIOMX2AUKPJXQKO0IM9.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2588.12403541
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2588.12403541
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2588.12403541
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUPIUSV1H5G4IOC78A6W.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2972.12403635
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2972.12403635
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2972.12403650
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWICGGM3CAS6IDT43DP.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2044.12403697
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2044.12403697
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2044.12403697
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T7V0WOC5SR5UKDDR9XBF.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2208.12403323
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2208.12403323
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2208.12403323
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFbd41bf.TMP
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.560.12403962
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.560.12403978
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.560.12403978
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YEQP9L800OMYB0C7IBFI.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2624.12403510
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2624.12403510
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2624.12403510
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L74ZL1KUYRC508AYO5ZL.temp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1316.12403993
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1316.12403993
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1316.12403993
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\HNSEfLxEppqeUq.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\Preference
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\??????????.exe
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
\xe4\xa4\x90\xe3\x84\x80
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_CLASSES_ROOT\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\UserChoice
HKEY_CLASSES_ROOT\lnkfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_CLASSES_ROOT\SystemFileAssociations\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_CLASSES_ROOT\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_CLASSES_ROOT\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\13b06edc\3d40437\3b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5569937f\21247651\3e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\73843e06\43a920ef\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\19ab8d57\1bd7b0d8\8f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3d40437\3f3fc448\3b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\30bc7c4f\3f50fe4f\90\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\424bd4d8\1c83327b\8e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3f50fe4f\6f1da7aa\90\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\130e9a23\5569937f\3e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3b249b34\157e0c82\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\2b1a4e4\38a3212c\4c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3a6a696d\52d7076e\7a\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\5b43ba09\4355c2d6\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Transactions,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\5d88ef29\7f5cd084\3f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7f5cd084\5675326b\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7ac727df\7b5311d7\69\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\475dce40\2d382ce6\8d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7b5311d7\1b0ed4d\69\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\7f0603e4\73843e06\6e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\41c04c7e\7f3b6ac4\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\c991064\2bd33e1c\81\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\34cea914\43f5e26f\2d\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\39f21844\3feac0d8\2c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\3c9c8d7b\46b95040\74\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\43f5e26f\3b5d08db\2d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Runtime__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\6eae2d34\3b249b34\79\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\85e83df\2c4cd1a4\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\85e83df\2c4cd1a4\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\85e83df\2c4cd1a4\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\85e83df\2c4cd1a4\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\85e83df\2c4cd1a4\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\85e83df\2c4cd1a4\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,AMD64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Co