Analysis

Category Package Started Completed Duration Options Log
FILE TrickBot 2019-08-13 22:47:58 2019-08-13 22:52:11 253 seconds Show Options Show Log
route = internet
procdump = 0
2019-08-13 23:47:59,015 [root] INFO: Date set to: 08-13-19, time set to: 22:47:59, timeout set to: 200
2019-08-13 23:47:59,046 [root] DEBUG: Starting analyzer from: C:\dpatymp
2019-08-13 23:47:59,046 [root] DEBUG: Storing results at: C:\osCHmo
2019-08-13 23:47:59,046 [root] DEBUG: Pipe server name: \\.\PIPE\PyxZcn
2019-08-13 23:47:59,046 [root] INFO: Analysis package "TrickBot" has been specified.
2019-08-13 23:47:59,358 [root] DEBUG: Started auxiliary module Browser
2019-08-13 23:47:59,358 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 23:47:59,358 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 23:47:59,624 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 23:47:59,624 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 23:47:59,624 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 23:47:59,624 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 23:47:59,624 [root] DEBUG: Started auxiliary module Human
2019-08-13 23:47:59,624 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 23:47:59,638 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 23:47:59,638 [root] DEBUG: Started auxiliary module Usage
2019-08-13 23:47:59,654 [root] INFO: Analyzer: DLL set to DumpOnAPI.dll from package modules.packages.TrickBot
2019-08-13 23:47:59,654 [root] INFO: Analyzer: DLL_64 set to DumpOnAPI_x64.dll from package modules.packages.TrickBot
2019-08-13 23:47:59,717 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\xhRSI8L8Kam.exe" with arguments "" with pid 2132
2019-08-13 23:47:59,717 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:47:59,717 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:47:59,717 [lib.api.process] INFO: 32-bit DLL to inject is C:\dpatymp\dll\ThXRIftU.dll, loader C:\dpatymp\bin\HqhCeFU.exe
2019-08-13 23:47:59,717 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:47:59,733 [root] DEBUG: Loader: Injecting process 2132 (thread 1936) with C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:47:59,733 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:47:59,733 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:47:59,733 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77380000
2019-08-13 23:47:59,733 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:47:59,733 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:47:59,733 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:47:59,733 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2132
2019-08-13 23:48:01,744 [lib.api.process] INFO: Successfully resumed process with pid 2132
2019-08-13 23:48:01,744 [root] INFO: Added new process to list with pid: 2132
2019-08-13 23:48:01,854 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:01,854 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:01,854 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:02,009 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:02,009 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:02,009 [root] DEBUG: CAPE initialised: 32-bit DumpOnAPI package loaded at 0x74af0000, process image base 0x400000, stack from 0x286000-0x290000
2019-08-13 23:48:02,009 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:02,009 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:02,009 [root] INFO: Monitor successfully loaded in process with pid 2132.
2019-08-13 23:48:02,009 [root] DEBUG: GetHookCallerBase: thread 1936 (handle 0x0), return address 0x004012A9, allocation base 0x00400000.
2019-08-13 23:48:02,009 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00400000 main_caller_retaddr 0x004012A9 parent_caller_retaddr 0x00000000.
2019-08-13 23:48:02,009 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:48:02,009 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:48:02,026 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2132_1964233776228014382019
2019-08-13 23:48:02,026 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:48:02,026 [root] DEBUG: Dump-on-API: Dumped module at 0x00400000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:02,026 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:48:02,042 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:48:02,042 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:48:02,042 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:48:02,088 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:48:02,088 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:48:02,088 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:48:02,088 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:48:02,134 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:48:02,134 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:48:02,259 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 23:48:02,525 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:48:02,588 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:48:02,634 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:48:02,634 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:48:03,039 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:48:03,039 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:48:03,039 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:48:03,039 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:48:03,039 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-13 23:48:03,134 [root] INFO: Announced 32-bit process name: ропрУВаЫсен.exe pid: 2736
2019-08-13 23:48:03,134 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:03,134 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:03,134 [lib.api.process] INFO: 32-bit DLL to inject is C:\dpatymp\dll\ThXRIftU.dll, loader C:\dpatymp\bin\HqhCeFU.exe
2019-08-13 23:48:03,148 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:03,148 [root] DEBUG: Loader: Injecting process 2736 (thread 2952) with C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:48:03,148 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:48:03,148 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:48:03,148 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77380000
2019-08-13 23:48:03,148 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:48:03,148 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:03,148 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:48:03,148 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2736
2019-08-13 23:48:03,148 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:03,148 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:03,148 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:03,148 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:03,148 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:03,164 [root] DEBUG: DLL unloaded from 0x74730000.
2019-08-13 23:48:03,164 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-13 23:48:03,164 [root] DEBUG: CAPE initialised: 32-bit DumpOnAPI package loaded at 0x74af0000, process image base 0x400000, stack from 0x287000-0x290000
2019-08-13 23:48:03,164 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-13 23:48:03,164 [root] INFO: Added new process to list with pid: 2736
2019-08-13 23:48:03,164 [root] INFO: Monitor successfully loaded in process with pid 2736.
2019-08-13 23:48:03,164 [root] INFO: Notified of termination of process with pid 2132.
2019-08-13 23:48:03,164 [root] DEBUG: GetHookCallerBase: thread 2952 (handle 0x0), return address 0x004012A9, allocation base 0x00400000.
2019-08-13 23:48:03,196 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00400000 main_caller_retaddr 0x004012A9 parent_caller_retaddr 0x00000000.
2019-08-13 23:48:03,196 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:48:03,196 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:48:03,211 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2736_635821252328014382019
2019-08-13 23:48:03,211 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:48:03,211 [root] DEBUG: Dump-on-API: Dumped module at 0x00400000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:03,211 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:48:03,243 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:48:03,257 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:48:03,257 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:48:03,257 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:48:03,257 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:48:03,257 [root] DEBUG: DLL unloaded from 0x76790000.
2019-08-13 23:48:03,305 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:48:03,305 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:48:03,335 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:48:03,335 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:48:03,351 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:48:03,476 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:03,664 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:03,710 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:48:03,773 [root] INFO: Process with pid 2132 has terminated
2019-08-13 23:48:03,898 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:48:03,898 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:48:03,914 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:48:03,914 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:48:03,914 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:48:03,914 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:48:03,928 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:48:03,928 [root] INFO: Announced 64-bit process name: cmd.exe pid: 832
2019-08-13 23:48:03,928 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-13 23:48:03,944 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:03,944 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:03,944 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:03,976 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:03,976 [root] DEBUG: Loader: Injecting process 832 (thread 1328) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:03,992 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:03,992 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,053 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,069 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,069 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,085 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,085 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 832
2019-08-13 23:48:04,115 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,131 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,131 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,131 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,163 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,163 [root] DEBUG: DLL unloaded from 0x74720000.
2019-08-13 23:48:04,163 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:04,178 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,178 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000134000-0x0000000000230000
2019-08-13 23:48:04,178 [root] INFO: Added new process to list with pid: 832
2019-08-13 23:48:04,178 [root] INFO: Monitor successfully loaded in process with pid 832.
2019-08-13 23:48:04,194 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,194 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,319 [root] DEBUG: GetHookCallerBase: thread 1328 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,319 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2352
2019-08-13 23:48:04,319 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,319 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,319 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,319 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,335 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,335 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,335 [root] DEBUG: Loader: Injecting process 2352 (thread 1428) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,335 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,335 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,335 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,349 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,349 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,349 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,349 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,349 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2352
2019-08-13 23:48:04,349 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,349 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:04,365 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,381 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,381 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,413 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,413 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,413 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,427 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,427 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 23:48:04,427 [root] INFO: Added new process to list with pid: 2352
2019-08-13 23:48:04,427 [root] INFO: Monitor successfully loaded in process with pid 2352.
2019-08-13 23:48:04,427 [root] DEBUG: GetHookCallerBase: thread 1428 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,460 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,460 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,474 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,522 [root] INFO: Announced 64-bit process name: cmd.exe pid: 828
2019-08-13 23:48:04,522 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,522 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,522 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,538 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,538 [root] DEBUG: Loader: Injecting process 828 (thread 2524) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,538 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,538 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,538 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,552 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,552 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,552 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,552 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,569 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,569 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 828
2019-08-13 23:48:04,569 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2352_355324680428014382019
2019-08-13 23:48:04,569 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,569 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:04,569 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:04,569 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:04,569 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:04,569 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,569 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:04,584 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,584 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,584 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\832_544389728428014382019
2019-08-13 23:48:04,584 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:04,584 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,584 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,584 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,584 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,599 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,599 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2760
2019-08-13 23:48:04,599 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\832_544389728428014382019
2019-08-13 23:48:04,599 [root] DEBUG: DumpRegion: Dumped stack region from 0x000000004A870000, size 0x59000.
2019-08-13 23:48:04,599 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000054000-0x0000000000150000
2019-08-13 23:48:04,599 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,599 [root] DEBUG: Dump-on-API: Dumped memory region at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,599 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,599 [root] INFO: Added new process to list with pid: 828
2019-08-13 23:48:04,599 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,599 [root] INFO: Monitor successfully loaded in process with pid 828.
2019-08-13 23:48:04,615 [root] DEBUG: GetHookCallerBase: thread 2524 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,615 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,615 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,615 [root] DEBUG: Loader: Injecting process 2760 (thread 1732) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,615 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,615 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,615 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,615 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,615 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:04,615 [root] INFO: Announced 64-bit process name: sc.exe pid: 1664
2019-08-13 23:48:04,615 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,631 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,631 [root] INFO: Announced 64-bit process name: sc.exe pid: 2144
2019-08-13 23:48:04,631 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,631 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,631 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,631 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,631 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,631 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,631 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,631 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,631 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,631 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2760
2019-08-13 23:48:04,631 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,631 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,647 [root] DEBUG: Loader: Injecting process 1664 (thread 1916) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,647 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,647 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\828_1835080048428014382019
2019-08-13 23:48:04,647 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:04,647 [root] DEBUG: Process image base: 0x00000000FF180000
2019-08-13 23:48:04,647 [root] DEBUG: Loader: Injecting process 2144 (thread 1440) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,647 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:04,647 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,647 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,647 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,647 [root] DEBUG: Process image base: 0x00000000FF180000
2019-08-13 23:48:04,647 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,647 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,647 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF18F000 - 0x000007FEFF6A0000
2019-08-13 23:48:04,647 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,661 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,661 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,661 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF190000.
2019-08-13 23:48:04,661 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF18F000 - 0x000007FEFF6A0000
2019-08-13 23:48:04,661 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,661 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,661 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,661 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FF190000.
2019-08-13 23:48:04,661 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,677 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000114000-0x0000000000210000
2019-08-13 23:48:04,677 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,677 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2936
2019-08-13 23:48:04,677 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1664
2019-08-13 23:48:04,677 [root] INFO: Added new process to list with pid: 2760
2019-08-13 23:48:04,677 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,677 [root] INFO: Monitor successfully loaded in process with pid 2760.
2019-08-13 23:48:04,677 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,677 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2144
2019-08-13 23:48:04,677 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,677 [root] DEBUG: GetHookCallerBase: thread 1732 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,677 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,677 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,677 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,677 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,694 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,694 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,694 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,694 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,694 [root] DEBUG: Loader: Injecting process 2936 (thread 1756) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,694 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,694 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:04,694 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,694 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,694 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,694 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,694 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1412
2019-08-13 23:48:04,694 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,694 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,709 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,709 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,709 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,709 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FF180000, stack from 0x00000000001E5000-0x00000000001F0000
2019-08-13 23:48:04,709 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FF180000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 23:48:04,709 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,724 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,724 [root] INFO: Added new process to list with pid: 1664
2019-08-13 23:48:04,724 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,724 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,724 [root] INFO: Added new process to list with pid: 2144
2019-08-13 23:48:04,724 [root] INFO: Monitor successfully loaded in process with pid 1664.
2019-08-13 23:48:04,724 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2760_1895237928428014382019
2019-08-13 23:48:04,724 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,724 [root] INFO: Monitor successfully loaded in process with pid 2144.
2019-08-13 23:48:04,724 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2936
2019-08-13 23:48:04,724 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:04,724 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,724 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,724 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,724 [root] DEBUG: Loader: Injecting process 1412 (thread 2028) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,724 [root] DEBUG: GetHookCallerBase: thread 1440 (handle 0x0), return address 0x00000000FF181D01, allocation base 0x00000000FF180000.
2019-08-13 23:48:04,724 [root] DEBUG: GetHookCallerBase: thread 1916 (handle 0x0), return address 0x00000000FF181D01, allocation base 0x00000000FF180000.
2019-08-13 23:48:04,724 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:04,740 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,740 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:04,740 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FF180000 main_caller_retaddr 0x00000000FF181D01 parent_caller_retaddr 0x00000000FF181E7B.
2019-08-13 23:48:04,740 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FF180000 main_caller_retaddr 0x00000000FF181D01 parent_caller_retaddr 0x00000000FF181E7B.
2019-08-13 23:48:04,740 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,740 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:04,740 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,740 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,740 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF180000.
2019-08-13 23:48:04,740 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF180000.
2019-08-13 23:48:04,756 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,756 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,756 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:48:04,756 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1192
2019-08-13 23:48:04,756 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:04,756 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:48:04,756 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,756 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,756 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:04,756 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,756 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,756 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,756 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1548
2019-08-13 23:48:04,772 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,772 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,772 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:48:04,772 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:04,772 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,772 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,772 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,772 [root] INFO: Added new process to list with pid: 2936
2019-08-13 23:48:04,772 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:04,772 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,772 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2144_929581968428014382019
2019-08-13 23:48:04,772 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1412
2019-08-13 23:48:04,772 [root] INFO: Monitor successfully loaded in process with pid 2936.
2019-08-13 23:48:04,772 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,772 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:04,786 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,786 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:48:04,786 [root] DEBUG: GetHookCallerBase: thread 1756 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,786 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\1664_1070377005428014382019
2019-08-13 23:48:04,786 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,786 [root] DEBUG: Loader: Injecting process 1192 (thread 2864) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,786 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FF180000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,786 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,802 [root] DEBUG: Loader: Injecting process 1548 (thread 1088) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,802 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:04,802 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,802 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,802 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,802 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,802 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,802 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\1664_1070377005428014382019
2019-08-13 23:48:04,802 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:04,802 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,802 [root] DEBUG: DumpRegion: Dumped stack region from 0x00000000FF180000, size 0xf000.
2019-08-13 23:48:04,802 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,802 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:04,802 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,818 [root] DEBUG: Dump-on-API: Dumped memory region at 0x00000000FF180000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,818 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,818 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,818 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,818 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,818 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1192
2019-08-13 23:48:04,818 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1548
2019-08-13 23:48:04,818 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2936_460387914428014382019
2019-08-13 23:48:04,834 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,834 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:04,834 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:04,834 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,834 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,834 [root] DEBUG: DLL unloaded from 0x000007FEFE500000.
2019-08-13 23:48:04,834 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,834 [root] DEBUG: DLL unloaded from 0x000007FEFE500000.
2019-08-13 23:48:04,834 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:04,849 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,849 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,849 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2344
2019-08-13 23:48:04,849 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,849 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,849 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,849 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,849 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,849 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,865 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000001D4000-0x00000000002D0000
2019-08-13 23:48:04,865 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2180
2019-08-13 23:48:04,865 [root] INFO: Added new process to list with pid: 1548
2019-08-13 23:48:04,865 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,865 [root] INFO: Monitor successfully loaded in process with pid 1548.
2019-08-13 23:48:04,865 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,865 [root] DEBUG: Loader: Injecting process 2344 (thread 2720) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,865 [root] DEBUG: GetHookCallerBase: thread 1088 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,865 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,865 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:04,865 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,865 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,881 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,881 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:04,881 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,881 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:04,881 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,881 [root] DEBUG: Loader: Injecting process 2180 (thread 2624) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,881 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,881 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,881 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,881 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,881 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,895 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2344
2019-08-13 23:48:04,895 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,895 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,895 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,895 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,895 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,895 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,895 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,895 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,895 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,895 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\1548_917824496428014382019
2019-08-13 23:48:04,895 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,895 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,911 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,911 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,911 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:04,911 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2180
2019-08-13 23:48:04,911 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,911 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,911 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:04,911 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:04,911 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,927 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000001F5000-0x0000000000200000
2019-08-13 23:48:04,927 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:04,927 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:04,927 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000296000-0x00000000002A0000
2019-08-13 23:48:04,927 [root] INFO: Added new process to list with pid: 2344
2019-08-13 23:48:04,927 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000000C6000-0x00000000000D0000
2019-08-13 23:48:04,943 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:04,943 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2008
2019-08-13 23:48:04,943 [root] INFO: Monitor successfully loaded in process with pid 2344.
2019-08-13 23:48:04,943 [root] INFO: Added new process to list with pid: 1192
2019-08-13 23:48:04,943 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,943 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,943 [root] INFO: Monitor successfully loaded in process with pid 1192.
2019-08-13 23:48:04,943 [root] INFO: Added new process to list with pid: 1412
2019-08-13 23:48:04,943 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,943 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,943 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:04,943 [root] INFO: Monitor successfully loaded in process with pid 1412.
2019-08-13 23:48:04,943 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,943 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,943 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:04,959 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,959 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,959 [root] DEBUG: Loader: Injecting process 2008 (thread 2092) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,959 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2072
2019-08-13 23:48:04,959 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000204000-0x0000000000300000
2019-08-13 23:48:04,959 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:04,959 [root] INFO: Added new process to list with pid: 2180
2019-08-13 23:48:04,973 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:04,973 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,973 [root] INFO: Monitor successfully loaded in process with pid 2180.
2019-08-13 23:48:04,973 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:04,973 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:04,973 [root] DEBUG: GetHookCallerBase: thread 2624 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:04,973 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:04,973 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:04,973 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:04,973 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,973 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:04,973 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,973 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:04,973 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:04,973 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2008
2019-08-13 23:48:04,990 [root] DEBUG: Loader: Injecting process 2072 (thread 1572) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,990 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:04,990 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:04,990 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:04,990 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:04,990 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:04,990 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:04,990 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:04,990 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:04,990 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:04,990 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:04,990 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,006 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2180_785069348428014382019
2019-08-13 23:48:05,006 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2072
2019-08-13 23:48:05,006 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:05,006 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000001F6000-0x0000000000200000
2019-08-13 23:48:05,006 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:05,006 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,006 [root] INFO: Added new process to list with pid: 2008
2019-08-13 23:48:05,006 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:05,006 [root] INFO: Monitor successfully loaded in process with pid 2008.
2019-08-13 23:48:05,006 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:05,020 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:05,020 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:05,020 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:05,020 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2024
2019-08-13 23:48:05,020 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,020 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,020 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,020 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,020 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,020 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2068
2019-08-13 23:48:05,020 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,036 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,036 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,036 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,036 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,036 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000224000-0x0000000000320000
2019-08-13 23:48:05,036 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,036 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,036 [root] INFO: Added new process to list with pid: 2072
2019-08-13 23:48:05,036 [root] DEBUG: Loader: Injecting process 2024 (thread 1084) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,036 [root] DEBUG: Loader: Injecting process 2068 (thread 2328) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,036 [root] INFO: Monitor successfully loaded in process with pid 2072.
2019-08-13 23:48:05,036 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:05,052 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:05,052 [root] DEBUG: GetHookCallerBase: thread 1572 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,052 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:05,052 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:05,052 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,052 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,052 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,052 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,052 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,068 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2024
2019-08-13 23:48:05,068 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2068
2019-08-13 23:48:05,068 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,068 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:05,068 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,068 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,084 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:05,084 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2072_963823556528014382019
2019-08-13 23:48:05,084 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:05,084 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:05,084 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,084 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,084 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,098 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,098 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:05,098 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000001E5000-0x00000000001F0000
2019-08-13 23:48:05,098 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,098 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:05,098 [root] INFO: Added new process to list with pid: 2024
2019-08-13 23:48:05,098 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:05,098 [root] INFO: Monitor successfully loaded in process with pid 2024.
2019-08-13 23:48:05,098 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2636
2019-08-13 23:48:05,098 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,115 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3008
2019-08-13 23:48:05,115 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,115 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,115 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,115 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,115 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000074000-0x0000000000170000
2019-08-13 23:48:05,115 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,115 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,115 [root] INFO: Added new process to list with pid: 2068
2019-08-13 23:48:05,115 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,115 [root] DEBUG: Loader: Injecting process 2636 (thread 2288) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,115 [root] INFO: Monitor successfully loaded in process with pid 2068.
2019-08-13 23:48:05,115 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:05,115 [root] DEBUG: GetHookCallerBase: thread 2328 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:05,115 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,115 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:05,115 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,130 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:05,130 [root] DEBUG: Loader: Injecting process 3008 (thread 1220) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,130 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:05,130 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:05,130 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:05,130 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:05,130 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,130 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,130 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,130 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,130 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:05,130 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2636
2019-08-13 23:48:05,130 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:05,145 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:05,145 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:05,145 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,145 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,145 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3008
2019-08-13 23:48:05,145 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2068_1550933984528014382019
2019-08-13 23:48:05,145 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:05,145 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:05,161 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:05,161 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,161 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:05,161 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:05,161 [root] INFO: Notified of termination of process with pid 2144.
2019-08-13 23:48:05,177 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,193 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:05,193 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,193 [root] DEBUG: GetHookCallerBase: thread 2092 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,193 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3040
2019-08-13 23:48:05,207 [root] INFO: Notified of termination of process with pid 1664.
2019-08-13 23:48:05,207 [root] DEBUG: GetHookCallerBase: thread 1084 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,207 [root] DEBUG: GetHookCallerBase: thread 2864 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,207 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:05,207 [root] DEBUG: GetHookCallerBase: thread 2028 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,207 [root] DEBUG: GetHookCallerBase: thread 2720 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,207 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,207 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:05,207 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,207 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,223 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:05,223 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,223 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,240 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,240 [root] INFO: Notified of termination of process with pid 832.
2019-08-13 23:48:05,240 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,240 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,240 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,240 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,240 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,240 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,240 [root] INFO: Announced 64-bit process name: cmd.exe pid: 580
2019-08-13 23:48:05,255 [root] INFO: Notified of termination of process with pid 2352.
2019-08-13 23:48:05,255 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,255 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,255 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,255 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,255 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,255 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,255 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,255 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,270 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,270 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,270 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,270 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,270 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,286 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,286 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,286 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 23:48:05,286 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000125000-0x0000000000130000
2019-08-13 23:48:05,286 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,286 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,302 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,302 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,302 [root] DEBUG: Loader: Injecting process 3040 (thread 2244) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,302 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,302 [root] INFO: Added new process to list with pid: 3008
2019-08-13 23:48:05,302 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,302 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:05,318 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:05,318 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:05,318 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:05,318 [root] INFO: Monitor successfully loaded in process with pid 3008.
2019-08-13 23:48:05,318 [root] INFO: Added new process to list with pid: 2636
2019-08-13 23:48:05,318 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:05,318 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2008_107706138528014382019
2019-08-13 23:48:05,318 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:05,318 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,318 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:05,332 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:05,332 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,332 [root] INFO: Monitor successfully loaded in process with pid 2636.
2019-08-13 23:48:05,332 [root] DEBUG: GetHookCallerBase: thread 1220 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:05,332 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:05,332 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:05,332 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:05,332 [root] DEBUG: Loader: Injecting process 580 (thread 1588) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,332 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:05,348 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:05,348 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:05,348 [root] DEBUG: GetHookCallerBase: thread 2288 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,348 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:05,348 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:05,348 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,348 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\2024_470221027528014382019
2019-08-13 23:48:05,364 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:05,364 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\1192_46750172528014382019
2019-08-13 23:48:05,364 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\1412_1638954588528014382019
2019-08-13 23:48:05,364 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:05,364 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,364 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:05,364 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\2344_1841213800528014382019
2019-08-13 23:48:05,364 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,364 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,380 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,380 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,380 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:05,395 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:05,395 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2024_470221027528014382019
2019-08-13 23:48:05,395 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,395 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,395 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\1192_46750172528014382019
2019-08-13 23:48:05,411 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,411 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,411 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:05,411 [root] DEBUG: DumpRegion: Dumped stack region from 0x000000013F450000, size 0x77000.
2019-08-13 23:48:05,411 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3040
2019-08-13 23:48:05,411 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,427 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2344_1841213800528014382019
2019-08-13 23:48:05,427 [root] DEBUG: DumpRegion: Dumped stack region from 0x000000013F450000, size 0x77000.
2019-08-13 23:48:05,427 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\1412_1638954588528014382019
2019-08-13 23:48:05,427 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,427 [root] DEBUG: Dump-on-API: Dumped memory region at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,427 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2019-08-13 23:48:05,441 [root] DEBUG: DumpRegion: Dumped stack region from 0x000000013F450000, size 0x77000.
2019-08-13 23:48:05,441 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,441 [root] DEBUG: Dump-on-API: Dumped memory region at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,441 [root] DEBUG: DumpRegion: Dumped stack region from 0x000000013F450000, size 0x77000.
2019-08-13 23:48:05,441 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,441 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3008_621399184528014382019
2019-08-13 23:48:05,441 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,441 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Users\user\AppData\Local\Temp\CapeOutput.bin: The system cannot find the file specified.
2019-08-13 23:48:05,441 [root] DEBUG: Dump-on-API: Dumped memory region at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,457 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,457 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,457 [root] DEBUG: Dump-on-API: Dumped memory region at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,457 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 580
2019-08-13 23:48:05,457 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:05,457 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2019-08-13 23:48:05,457 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,457 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,473 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,473 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,473 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,473 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,473 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:05,473 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,473 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dpatymp\CAPE\2636_1971815048528014382019
2019-08-13 23:48:05,473 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,473 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,489 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,489 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,489 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,489 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,489 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:05,489 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,505 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,505 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:05,505 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,505 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,519 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2636_1971815048528014382019
2019-08-13 23:48:05,519 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:05,519 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,519 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,519 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000195000-0x00000000001A0000
2019-08-13 23:48:05,519 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2616
2019-08-13 23:48:05,536 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,536 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,536 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,536 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,536 [root] DEBUG: DumpRegion: Dumped stack region from 0x000000013F450000, size 0x77000.
2019-08-13 23:48:05,536 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,536 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:05,536 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,536 [root] INFO: Added new process to list with pid: 3040
2019-08-13 23:48:05,552 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,552 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,552 [root] DEBUG: Dump-on-API: Dumped memory region at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,552 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:05,552 [root] INFO: Monitor successfully loaded in process with pid 3040.
2019-08-13 23:48:05,552 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,566 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,566 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,582 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,582 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:05,582 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000001B4000-0x00000000002B0000
2019-08-13 23:48:05,582 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:05,582 [root] DEBUG: GetHookCallerBase: thread 2244 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:05,582 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,582 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2608
2019-08-13 23:48:05,598 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:05,614 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:05,614 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:05,614 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,614 [root] INFO: Added new process to list with pid: 580
2019-08-13 23:48:05,614 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:05,630 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,630 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:05,644 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:05,644 [root] INFO: Monitor successfully loaded in process with pid 580.
2019-08-13 23:48:05,644 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,644 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:05,644 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:05,644 [root] DEBUG: Loader: Injecting process 2616 (thread 2964) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,644 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:05,661 [root] DEBUG: GetHookCallerBase: thread 1588 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:05,661 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,661 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:05,661 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:05,661 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:05,676 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:05,676 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:05,676 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:05,676 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:05,691 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:05,691 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,691 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,691 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,691 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:05,691 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:05,707 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:05,707 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:05,707 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:05,707 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:05,707 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:05,723 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:05,723 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3040_1179165616528014382019
2019-08-13 23:48:05,739 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:05,739 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:05,739 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:05,739 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:05,739 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:05,739 [root] DEBUG: Loader: Injecting process 2608 (thread 2648) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,739 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,739 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,739 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:05,739 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:05,739 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:05,739 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,739 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:05,753 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,753 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2616
2019-08-13 23:48:05,753 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:05,753 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:05,753 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:05,753 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:05,753 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:05,769 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\580_512459376528014382019
2019-08-13 23:48:05,769 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:05,769 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:05,769 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:05,769 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:05,769 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:05,801 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:05,801 [root] INFO: Process with pid 832 has terminated
2019-08-13 23:48:05,801 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:05,801 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:05,801 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:05,801 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:05,816 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:05,816 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2608
2019-08-13 23:48:05,816 [root] INFO: Process with pid 1664 has terminated
2019-08-13 23:48:05,816 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:05,816 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:05,816 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:05,816 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:05,941 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:05,941 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000195000-0x00000000001A0000
2019-08-13 23:48:05,941 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:05,957 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:05,957 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:05,957 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2248
2019-08-13 23:48:05,957 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:05,957 [root] INFO: Added new process to list with pid: 2616
2019-08-13 23:48:05,957 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:06,003 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:06,003 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:06,003 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:06,003 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:06,003 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:06,019 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:06,019 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,019 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:06,019 [root] INFO: Monitor successfully loaded in process with pid 2616.
2019-08-13 23:48:06,019 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:06,035 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,035 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:06,035 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:06,035 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:06,051 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:06,051 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:06,051 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:06,051 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:06,051 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:06,082 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,082 [root] DEBUG: GetHookCallerBase: thread 2964 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:06,082 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,082 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:06,098 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:06,098 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:06,112 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:06,144 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:06,144 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:06,144 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,144 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,144 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:06,176 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:06,332 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,394 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,658 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:06,658 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:06,783 [root] INFO: Announced 32-bit process name: ропрУВаЫсен.exe pid: 2284
2019-08-13 23:48:06,783 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:06,861 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:06,878 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:06,878 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:06,924 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000001F4000-0x00000000002F0000
2019-08-13 23:48:06,970 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:06,970 [root] DEBUG: Loader: Injecting process 2248 (thread 1916) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:06,986 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:06,986 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:06,986 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:06,986 [lib.api.process] INFO: 32-bit DLL to inject is C:\dpatymp\dll\ThXRIftU.dll, loader C:\dpatymp\bin\HqhCeFU.exe
2019-08-13 23:48:07,079 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,079 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,079 [root] INFO: Added new process to list with pid: 2608
2019-08-13 23:48:07,079 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:07,079 [root] INFO: Process with pid 2352 has terminated
2019-08-13 23:48:07,079 [root] INFO: Monitor successfully loaded in process with pid 2608.
2019-08-13 23:48:07,079 [root] INFO: Process with pid 2144 has terminated
2019-08-13 23:48:07,174 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:07,174 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,174 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:07,190 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2616_1090522506628014382019
2019-08-13 23:48:07,190 [root] DEBUG: GetHookCallerBase: thread 2648 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:07,190 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:07,190 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,190 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,299 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:07,299 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,299 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:07,299 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:07,299 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,299 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:07,299 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:07,329 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:07,345 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,345 [root] DEBUG: Loader: Injecting process 2284 (thread 1948) with C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:48:07,345 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,345 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:07,361 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:07,377 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,377 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:07,377 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:07,391 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:07,391 [root] DEBUG: Process image base: 0x00400000
2019-08-13 23:48:07,391 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,391 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:07,391 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:07,424 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:07,424 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,424 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:07,424 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:48:07,424 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:07,424 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:07,424 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:07,424 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:07,438 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:07,438 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:07,438 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0048F000 - 0x77380000
2019-08-13 23:48:07,438 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:07,454 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:07,454 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2608_1892375480728014382019
2019-08-13 23:48:07,470 [root] DEBUG: InjectDllViaIAT: Allocated 0x112c bytes for new import table at 0x00490000.
2019-08-13 23:48:07,470 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:07,470 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2248
2019-08-13 23:48:07,470 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:07,470 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:07,502 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:07,502 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:07,516 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:07,563 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:07,563 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:07,563 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:07,563 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:07,563 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\ThXRIftU.dll.
2019-08-13 23:48:07,563 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:07,579 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:07,579 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2284
2019-08-13 23:48:07,579 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:07,579 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:07,595 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:07,595 [root] INFO: Announced 64-bit process name: powershell.exe pid: 1460
2019-08-13 23:48:07,595 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:07,595 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:07,611 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:07,611 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:07,611 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:07,611 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:07,625 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:07,625 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:07,625 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000115000-0x0000000000120000
2019-08-13 23:48:07,625 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:07,625 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:07,625 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:07,625 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:07,641 [root] INFO: Added new process to list with pid: 2248
2019-08-13 23:48:07,641 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:07,641 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:07,641 [root] INFO: Monitor successfully loaded in process with pid 2248.
2019-08-13 23:48:07,641 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:07,657 [root] DEBUG: Loader: Injecting process 1460 (thread 888) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:07,657 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:07,657 [root] DEBUG: GetHookCallerBase: thread 1916 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:07,657 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:07,657 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:07,657 [root] DEBUG: CAPE initialised: 32-bit DumpOnAPI package loaded at 0x74af0000, process image base 0x400000, stack from 0x287000-0x290000
2019-08-13 23:48:07,657 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:07,673 [root] INFO: Added new process to list with pid: 2284
2019-08-13 23:48:07,673 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:07,673 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:07,673 [root] INFO: Monitor successfully loaded in process with pid 2284.
2019-08-13 23:48:07,673 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:07,673 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:07,673 [root] DEBUG: GetHookCallerBase: thread 1948 (handle 0x0), return address 0x004012A9, allocation base 0x00400000.
2019-08-13 23:48:07,673 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:07,673 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:07,703 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00400000 main_caller_retaddr 0x004012A9 parent_caller_retaddr 0x00000000.
2019-08-13 23:48:07,703 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:07,703 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:07,703 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YVEHJ6CD8WYU644TVRMC.temp'
2019-08-13 23:48:07,703 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 23:48:07,703 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2248_718503222728014382019
2019-08-13 23:48:07,703 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:07,703 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:07,703 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-08-13 23:48:07,703 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:07,703 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YVEHJ6CD8WYU644TVRMC.temp'
2019-08-13 23:48:07,703 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1460
2019-08-13 23:48:07,750 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:07,766 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:07,766 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:07,782 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:07,782 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:07,798 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:07,798 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YVEHJ6CD8WYU644TVRMC.temp'
2019-08-13 23:48:07,798 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2284_1568423581728014382019
2019-08-13 23:48:07,798 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:07,813 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:07,813 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP'
2019-08-13 23:48:07,813 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x82c00.
2019-08-13 23:48:07,813 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:07,828 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:07,845 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:07,845 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:07,845 [root] DEBUG: Dump-on-API: Dumped module at 0x00400000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:07,859 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:07,875 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:07,875 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:07,875 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:07,875 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp" does not exist, skip.
2019-08-13 23:48:07,875 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:07,875 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 23:48:07,891 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:07,891 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000125000-0x0000000000130000
2019-08-13 23:48:07,907 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:07,907 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 23:48:07,970 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:07,984 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:07,984 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:08,000 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:08,000 [root] INFO: Added new process to list with pid: 1460
2019-08-13 23:48:08,000 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-08-13 23:48:08,000 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:08,000 [root] INFO: Monitor successfully loaded in process with pid 1460.
2019-08-13 23:48:08,000 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp" does not exist, skip.
2019-08-13 23:48:08,000 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 23:48:08,000 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:08,016 [root] DEBUG: GetHookCallerBase: thread 888 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:08,016 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 23:48:08,016 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:08,016 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PJA1ZE0X0KTJ9ZOGCPAP.temp'
2019-08-13 23:48:08,016 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:08,016 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:08,032 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 23:48:08,032 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:08,032 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:08,032 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PJA1ZE0X0KTJ9ZOGCPAP.temp'
2019-08-13 23:48:08,032 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:08,048 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:08,048 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:08,048 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:08,048 [root] DEBUG: DLL unloaded from 0x76790000.
2019-08-13 23:48:08,048 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:08,048 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:08,062 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PJA1ZE0X0KTJ9ZOGCPAP.temp'
2019-08-13 23:48:08,062 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:08,078 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:08,078 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP'
2019-08-13 23:48:08,078 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:08,094 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:08,141 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:08,141 [root] DEBUG: DLL loaded at 0x74720000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-08-13 23:48:08,141 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:08,141 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp" does not exist, skip.
2019-08-13 23:48:08,141 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 23:48:08,141 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\1460_383157462828014382019
2019-08-13 23:48:08,141 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-08-13 23:48:08,171 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 23:48:08,187 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:08,187 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 23:48:08,187 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:08,187 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:08,187 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:08,203 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:08,203 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:08,219 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 23:48:08,219 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:08,219 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:08,219 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-08-13 23:48:08,219 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:08,234 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp" does not exist, skip.
2019-08-13 23:48:08,234 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 23:48:08,234 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:08,250 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:08,250 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 23:48:08,250 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:08,266 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:08,266 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 23:48:08,266 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:08,266 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 23:48:08,282 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:08,282 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 23:48:08,282 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:08,312 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 23:48:08,312 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:08,328 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:08,359 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2084
2019-08-13 23:48:08,359 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:08,359 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:08,359 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:08,359 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:08,359 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:08,469 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-08-13 23:48:08,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:08,516 [root] DEBUG: Loader: Injecting process 2084 (thread 1152) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:08,562 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:08,562 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:08,578 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:08,578 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:08,578 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:08,594 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:08,594 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:08,640 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:08,640 [root] DEBUG: DLL unloaded from 0x74720000.
2019-08-13 23:48:08,640 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:08,640 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:08,640 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-13 23:48:08,640 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:08,655 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-13 23:48:08,655 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2084
2019-08-13 23:48:08,655 [root] INFO: Notified of termination of process with pid 2736.
2019-08-13 23:48:08,655 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:08,717 [root] DEBUG: DLL unloaded from 0x74720000.
2019-08-13 23:48:08,733 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:08,733 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:08,750 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:08,796 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:08,796 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:08,796 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:08,828 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:08,828 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:08,828 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:08,842 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2348
2019-08-13 23:48:08,858 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:08,858 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:08,858 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:08,874 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:08,874 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:08,874 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:08,890 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000001C4000-0x00000000002C0000
2019-08-13 23:48:08,890 [root] INFO: Added new process to list with pid: 2084
2019-08-13 23:48:08,905 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:08,905 [root] INFO: Monitor successfully loaded in process with pid 2084.
2019-08-13 23:48:08,905 [root] DEBUG: Loader: Injecting process 2348 (thread 2772) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:08,905 [root] DEBUG: GetHookCallerBase: thread 1152 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:08,905 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:08,905 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:08,905 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:08,905 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:08,905 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:08,921 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:08,921 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:08,921 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:08,921 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:08,937 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:08,937 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:08,937 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:08,951 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2348
2019-08-13 23:48:08,951 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2084_781922044828014382019
2019-08-13 23:48:08,951 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:08,951 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:08,951 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:08,951 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:08,951 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:08,967 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:08,967 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:08,967 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:08,967 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:08,983 [root] INFO: Announced 64-bit process name: sc.exe pid: 284
2019-08-13 23:48:08,983 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:08,983 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:08,999 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:08,999 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2696
2019-08-13 23:48:08,999 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:08,999 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:08,999 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,015 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,015 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,015 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,015 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000154000-0x0000000000250000
2019-08-13 23:48:09,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,029 [root] DEBUG: Loader: Injecting process 284 (thread 2376) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,029 [root] INFO: Added new process to list with pid: 2348
2019-08-13 23:48:09,029 [root] DEBUG: Loader: Injecting process 2696 (thread 2992) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,029 [root] DEBUG: Process image base: 0x00000000FFB00000
2019-08-13 23:48:09,029 [root] INFO: Monitor successfully loaded in process with pid 2348.
2019-08-13 23:48:09,046 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:09,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,046 [root] DEBUG: GetHookCallerBase: thread 2772 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:09,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,046 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFB0F000 - 0x000007FEFF6A0000
2019-08-13 23:48:09,046 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:09,062 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:09,062 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FFB10000.
2019-08-13 23:48:09,062 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:09,062 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:09,062 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,076 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:09,076 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,076 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,076 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,076 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 284
2019-08-13 23:48:09,076 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,076 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2696
2019-08-13 23:48:09,092 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:09,092 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,092 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:09,092 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,092 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,108 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:09,108 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,108 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,108 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2348_486210105928014382019
2019-08-13 23:48:09,108 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,124 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:09,124 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:09,124 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,124 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,124 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,140 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:09,140 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:09,140 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFB00000, stack from 0x0000000000176000-0x0000000000180000
2019-08-13 23:48:09,154 [root] INFO: Process with pid 2736 has terminated
2019-08-13 23:48:09,154 [root] INFO: Announced 64-bit process name: cmd.exe pid: 1248
2019-08-13 23:48:09,154 [root] INFO: Added new process to list with pid: 284
2019-08-13 23:48:09,154 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 23:48:09,154 [root] INFO: Announced 64-bit process name: sc.exe pid: 3068
2019-08-13 23:48:09,154 [root] INFO: Monitor successfully loaded in process with pid 284.
2019-08-13 23:48:09,154 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,154 [root] INFO: Added new process to list with pid: 2696
2019-08-13 23:48:09,171 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,171 [root] DEBUG: GetHookCallerBase: thread 2376 (handle 0x0), return address 0x00000000FFB01D01, allocation base 0x00000000FFB00000.
2019-08-13 23:48:09,171 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,171 [root] INFO: Monitor successfully loaded in process with pid 2696.
2019-08-13 23:48:09,171 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,171 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFB00000 main_caller_retaddr 0x00000000FFB01D01 parent_caller_retaddr 0x00000000FFB01E7B.
2019-08-13 23:48:09,171 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,186 [root] DEBUG: GetHookCallerBase: thread 2992 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:09,186 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:09,186 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,186 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFB00000.
2019-08-13 23:48:09,186 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:09,201 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,201 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:09,201 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,201 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:48:09,201 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:09,201 [root] DEBUG: Loader: Injecting process 1248 (thread 3020) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,201 [root] DEBUG: Loader: Injecting process 3068 (thread 2840) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,217 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,217 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:09,217 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:09,217 [root] DEBUG: Process image base: 0x00000000FFB00000
2019-08-13 23:48:09,233 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,233 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,233 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,249 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\653YFRECRPC3YC5HN16B.temp'
2019-08-13 23:48:09,249 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:09,249 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\284_1863380730928014382019
2019-08-13 23:48:09,249 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FFB0F000 - 0x000007FEFF6A0000
2019-08-13 23:48:09,249 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\653YFRECRPC3YC5HN16B.temp'
2019-08-13 23:48:09,249 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:09,249 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:48:09,249 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00000000FFB10000.
2019-08-13 23:48:09,263 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2696_989594214928014382019
2019-08-13 23:48:09,263 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,263 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:09,263 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FFB00000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,263 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,263 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:09,263 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,279 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\653YFRECRPC3YC5HN16B.temp'
2019-08-13 23:48:09,279 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,279 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,279 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1248
2019-08-13 23:48:09,296 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:09,296 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP'
2019-08-13 23:48:09,296 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3068
2019-08-13 23:48:09,296 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:09,296 [root] INFO: Notified of termination of process with pid 284.
2019-08-13 23:48:09,311 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:09,311 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:09,311 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:09,311 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,311 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,311 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:09,326 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:09,326 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp" does not exist, skip.
2019-08-13 23:48:09,326 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:09,326 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3304
2019-08-13 23:48:09,326 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,342 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,342 [root] INFO: Notified of termination of process with pid 2084.
2019-08-13 23:48:09,342 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:09,342 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,342 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:09,342 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,342 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,358 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:09,358 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp" does not exist, skip.
2019-08-13 23:48:09,358 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,358 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,374 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,374 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:09,374 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,374 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:09,374 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FFB00000, stack from 0x0000000000205000-0x0000000000210000
2019-08-13 23:48:09,374 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3452
2019-08-13 23:48:09,388 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000174000-0x0000000000270000
2019-08-13 23:48:09,388 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:09,388 [root] INFO: Added new process to list with pid: 3068
2019-08-13 23:48:09,388 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,388 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,388 [root] INFO: Monitor successfully loaded in process with pid 3068.
2019-08-13 23:48:09,388 [root] INFO: Added new process to list with pid: 1248
2019-08-13 23:48:09,404 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,404 [root] DEBUG: Loader: Injecting process 3304 (thread 3308) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,404 [root] DEBUG: GetHookCallerBase: thread 2840 (handle 0x0), return address 0x00000000FFB01D01, allocation base 0x00000000FFB00000.
2019-08-13 23:48:09,404 [root] INFO: Monitor successfully loaded in process with pid 1248.
2019-08-13 23:48:09,404 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,404 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:09,404 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x00000000FFB00000 main_caller_retaddr 0x00000000FFB01D01 parent_caller_retaddr 0x00000000FFB01E7B.
2019-08-13 23:48:09,404 [root] DEBUG: GetHookCallerBase: thread 3020 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:09,420 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,420 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFB00000.
2019-08-13 23:48:09,420 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,420 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:09,420 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:09,420 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001DD4.
2019-08-13 23:48:09,436 [root] DEBUG: Loader: Injecting process 3452 (thread 3456) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,436 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:09,436 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:09,436 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:09,436 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,436 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:09,436 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,451 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,451 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,451 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,467 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:09,483 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3304
2019-08-13 23:48:09,513 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:09,513 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3068_20674124928014382019
2019-08-13 23:48:09,513 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,513 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb000.
2019-08-13 23:48:09,513 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,529 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,529 [root] DEBUG: Dump-on-API: Dumped module at 0x00000000FFB00000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,529 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\1248_1167329368928014382019
2019-08-13 23:48:09,529 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,529 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3452
2019-08-13 23:48:09,529 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:09,545 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,545 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,545 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:09,545 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:09,561 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,561 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,561 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:09,561 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:09,561 [root] INFO: Notified of termination of process with pid 3068.
2019-08-13 23:48:09,561 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,575 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:09,575 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3700
2019-08-13 23:48:09,575 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000001F5000-0x0000000000200000
2019-08-13 23:48:09,575 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:09,575 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,575 [root] INFO: Added new process to list with pid: 3304
2019-08-13 23:48:09,592 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:09,592 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,592 [root] INFO: Monitor successfully loaded in process with pid 3304.
2019-08-13 23:48:09,592 [root] INFO: Notified of termination of process with pid 2348.
2019-08-13 23:48:09,592 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,592 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:09,592 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,608 [root] DEBUG: GetHookCallerBase: thread 3308 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:09,608 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,608 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:09,608 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3804
2019-08-13 23:48:09,608 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000000B4000-0x00000000001B0000
2019-08-13 23:48:09,622 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,622 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:09,622 [root] INFO: Added new process to list with pid: 3452
2019-08-13 23:48:09,622 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,622 [root] DEBUG: Loader: Injecting process 3700 (thread 3704) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,622 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:09,622 [root] INFO: Monitor successfully loaded in process with pid 3452.
2019-08-13 23:48:09,638 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,638 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:09,638 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,638 [root] DEBUG: GetHookCallerBase: thread 3456 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:09,638 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,638 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,654 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:09,654 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:09,654 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,654 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:09,670 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:09,670 [root] DEBUG: Loader: Injecting process 3804 (thread 3808) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,670 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:09,670 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,670 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:09,686 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,686 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,686 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,686 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3304_2028761789928014382019
2019-08-13 23:48:09,686 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3700
2019-08-13 23:48:09,700 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:09,700 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:09,700 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:09,717 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,717 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,717 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,717 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:09,717 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,717 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,717 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3452_307352564928014382019
2019-08-13 23:48:09,732 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,732 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:09,732 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3804
2019-08-13 23:48:09,732 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:09,747 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,747 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:09,747 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:09,747 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,763 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,763 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:09,763 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000000F5000-0x0000000000100000
2019-08-13 23:48:09,763 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:09,779 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:09,779 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:09,779 [root] INFO: Added new process to list with pid: 3700
2019-08-13 23:48:09,779 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:09,779 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:09,779 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:09,795 [root] INFO: Monitor successfully loaded in process with pid 3700.
2019-08-13 23:48:09,795 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:09,795 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:09,809 [root] INFO: Announced 64-bit process name: powershell.exe pid: 4064
2019-08-13 23:48:09,809 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:09,809 [root] DEBUG: GetHookCallerBase: thread 3704 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:09,809 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:09,809 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:09,825 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,825 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:09,825 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000034000-0x0000000000130000
2019-08-13 23:48:09,825 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3176
2019-08-13 23:48:09,825 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,825 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:09,842 [root] INFO: Added new process to list with pid: 3804
2019-08-13 23:48:09,842 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,842 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:09,857 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:09,857 [root] INFO: Monitor successfully loaded in process with pid 3804.
2019-08-13 23:48:09,857 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:09,857 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:09,872 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:09,872 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,904 [root] DEBUG: GetHookCallerBase: thread 3808 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:09,904 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:09,904 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,904 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:09,920 [root] DEBUG: Loader: Injecting process 4064 (thread 4068) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,920 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:09,920 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:09,934 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:09,934 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:09,934 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:09,934 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,950 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3700_1656607936928014382019
2019-08-13 23:48:09,950 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:09,950 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:09,950 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:09,966 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:09,966 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:09,966 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:09,966 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:09,982 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,982 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4064
2019-08-13 23:48:09,982 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:09,982 [root] DEBUG: Loader: Injecting process 3176 (thread 3180) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:09,982 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3804_1269011095928014382019
2019-08-13 23:48:09,997 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:09,997 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:09,997 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:10,013 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:10,013 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:10,013 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:10,013 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:10,013 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,013 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:10,029 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:10,029 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:10,029 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:10,029 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:10,029 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:10,029 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:10,043 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2528
2019-08-13 23:48:10,091 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:10,091 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:10,107 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:10,107 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:10,107 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000245000-0x0000000000250000
2019-08-13 23:48:10,107 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:10,107 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:10,121 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:10,138 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:10,154 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:10,154 [root] INFO: Added new process to list with pid: 4064
2019-08-13 23:48:10,154 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,168 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:10,168 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:10,168 [root] INFO: Monitor successfully loaded in process with pid 4064.
2019-08-13 23:48:10,168 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3176
2019-08-13 23:48:10,168 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:10,184 [root] DEBUG: GetHookCallerBase: thread 4068 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:10,200 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:10,200 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\G5O0U5TU7T3758SDE5KV.temp'
2019-08-13 23:48:10,232 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:10,232 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:10,246 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:10,246 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:10,246 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:10,246 [root] DEBUG: Loader: Injecting process 2528 (thread 2492) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,263 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\G5O0U5TU7T3758SDE5KV.temp'
2019-08-13 23:48:10,263 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:10,263 [root] INFO: Process with pid 2084 has terminated
2019-08-13 23:48:10,263 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:10,278 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:10,278 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:10,278 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:10,278 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:10,278 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:10,278 [root] INFO: Process with pid 284 has terminated
2019-08-13 23:48:10,293 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:10,293 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:10,293 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:10,293 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:10,293 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:10,293 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,309 [root] INFO: Process with pid 3068 has terminated
2019-08-13 23:48:10,309 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\G5O0U5TU7T3758SDE5KV.temp'
2019-08-13 23:48:10,325 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:10,325 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:10,325 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:10,325 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:10,341 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:10,388 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:10,388 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP'
2019-08-13 23:48:10,403 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:10,418 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2920
2019-08-13 23:48:10,418 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:10,434 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\4064_17915519491028014382019
2019-08-13 23:48:10,434 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:10,434 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:10,434 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:10,434 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,434 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:10,450 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp" does not exist, skip.
2019-08-13 23:48:10,450 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:10,450 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2528
2019-08-13 23:48:10,450 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:10,466 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:10,480 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:10,480 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:10,480 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:10,496 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:10,496 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:10,496 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:10,512 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:10,575 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:10,575 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000124000-0x0000000000220000
2019-08-13 23:48:10,559 [root] DEBUG: Loader: Injecting process 2920 (thread 2800) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,575 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:10,605 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000000C5000-0x00000000000D0000
2019-08-13 23:48:10,605 [root] INFO: Added new process to list with pid: 3176
2019-08-13 23:48:10,621 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:10,637 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:10,637 [root] INFO: Monitor successfully loaded in process with pid 3176.
2019-08-13 23:48:10,637 [root] INFO: Added new process to list with pid: 2528
2019-08-13 23:48:10,637 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,637 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:10,637 [root] DEBUG: GetHookCallerBase: thread 3180 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:10,637 [root] INFO: Monitor successfully loaded in process with pid 2528.
2019-08-13 23:48:10,653 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:10,653 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:10,653 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:10,653 [root] DEBUG: GetHookCallerBase: thread 2492 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:10,653 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:10,684 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:10,684 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:10,684 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:10,700 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:10,714 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:10,714 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:10,714 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:10,730 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:10,730 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,746 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:10,746 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:10,762 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:10,762 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:10,778 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2920
2019-08-13 23:48:10,778 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:10,823 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:10,823 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:10,839 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:10,839 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:10,839 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:10,839 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3176_13635764961028014382019
2019-08-13 23:48:10,839 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:10,855 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2528_2369838541028014382019
2019-08-13 23:48:10,855 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:10,871 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:10,871 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:10,887 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:10,887 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:10,901 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:10,901 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:10,917 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:10,917 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:10,917 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:10,917 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:10,917 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3300
2019-08-13 23:48:10,934 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000104000-0x0000000000200000
2019-08-13 23:48:10,948 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:10,948 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:10,948 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:10,948 [root] INFO: Added new process to list with pid: 2920
2019-08-13 23:48:10,948 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:10,948 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:10,948 [root] INFO: Monitor successfully loaded in process with pid 2920.
2019-08-13 23:48:10,964 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:10,964 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3352
2019-08-13 23:48:10,964 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:10,964 [root] DEBUG: GetHookCallerBase: thread 2800 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:10,964 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:10,980 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:10,980 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:10,980 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:10,996 [root] DEBUG: Loader: Injecting process 3300 (thread 3216) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:10,996 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:11,012 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:11,012 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:11,012 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:11,012 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:11,012 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:11,012 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,012 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:11,026 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:11,026 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:11,026 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:11,026 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:11,073 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:11,073 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:11,073 [root] DEBUG: Loader: Injecting process 3352 (thread 1904) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,073 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:11,073 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:11,073 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:11,089 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:11,089 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:11,089 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,089 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,105 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\2920_16902414241128014382019
2019-08-13 23:48:11,105 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3300
2019-08-13 23:48:11,105 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:11,121 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:11,121 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:11,135 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:11,135 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:11,135 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:11,135 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:11,151 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:11,183 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:11,183 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:11,183 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:11,198 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,213 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:11,213 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3664
2019-08-13 23:48:11,213 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3352
2019-08-13 23:48:11,213 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:11,213 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:11,230 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:11,246 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000156000-0x0000000000160000
2019-08-13 23:48:11,246 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:11,246 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:11,246 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:11,246 [root] INFO: Added new process to list with pid: 3300
2019-08-13 23:48:11,292 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:11,292 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:11,308 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:11,308 [root] INFO: Monitor successfully loaded in process with pid 3300.
2019-08-13 23:48:11,308 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:11,323 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:11,338 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:11,338 [root] DEBUG: GetHookCallerBase: thread 3216 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:11,338 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:11,338 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:11,355 [root] DEBUG: Loader: Injecting process 3664 (thread 3680) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,355 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:11,355 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:11,355 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:11,355 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:11,355 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:11,369 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,369 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3984
2019-08-13 23:48:11,369 [root] INFO: Process with pid 2348 has terminated
2019-08-13 23:48:11,369 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000000A4000-0x00000000001A0000
2019-08-13 23:48:11,369 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:11,369 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:11,385 [root] INFO: Added new process to list with pid: 3352
2019-08-13 23:48:11,385 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:11,385 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:11,385 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:11,385 [root] INFO: Monitor successfully loaded in process with pid 3352.
2019-08-13 23:48:11,401 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:11,401 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:11,417 [root] DEBUG: GetHookCallerBase: thread 1904 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:11,417 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:11,417 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:11,417 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,417 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:11,417 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:11,433 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3664
2019-08-13 23:48:11,433 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:11,433 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3300_20074634241128014382019
2019-08-13 23:48:11,433 [root] DEBUG: Loader: Injecting process 3984 (thread 4008) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,433 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:11,433 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:11,433 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:11,447 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:11,447 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:11,447 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:11,447 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:11,463 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:11,463 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,463 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:11,463 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:11,463 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:11,463 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:11,480 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:11,480 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:11,480 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:11,494 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:11,494 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:11,494 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000215000-0x0000000000220000
2019-08-13 23:48:11,494 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:11,494 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3352_6386445441128014382019
2019-08-13 23:48:11,494 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,510 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:11,510 [root] INFO: Added new process to list with pid: 3664
2019-08-13 23:48:11,510 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:11,510 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:11,510 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3984
2019-08-13 23:48:11,526 [root] INFO: Monitor successfully loaded in process with pid 3664.
2019-08-13 23:48:11,526 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:11,526 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:11,526 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:11,558 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:11,542 [root] DEBUG: GetHookCallerBase: thread 3680 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:11,558 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:11,558 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:11,558 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:11,572 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:11,572 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:11,572 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:11,572 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:11,572 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3576
2019-08-13 23:48:11,572 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:11,572 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:11,588 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:11,588 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:11,588 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp" does not exist, skip.
2019-08-13 23:48:11,588 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:11,588 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:11,588 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:11,604 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:11,604 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:11,604 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:11,604 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:11,604 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:11,604 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:11,604 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:11,619 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:11,619 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:11,619 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000001A4000-0x00000000002A0000
2019-08-13 23:48:11,635 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3540
2019-08-13 23:48:11,635 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:11,681 [root] INFO: Added new process to list with pid: 3984
2019-08-13 23:48:11,681 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:11,681 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:11,681 [root] INFO: Monitor successfully loaded in process with pid 3984.
2019-08-13 23:48:11,681 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:11,681 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3664_2662700441128014382019
2019-08-13 23:48:11,681 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:11,697 [root] DEBUG: GetHookCallerBase: thread 4008 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:11,697 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:11,697 [root] DEBUG: Loader: Injecting process 3576 (thread 3612) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,697 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:11,697 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:11,697 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:11,697 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:11,713 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:11,713 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:11,713 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,713 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:11,713 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:11,713 [root] DEBUG: Loader: Injecting process 3540 (thread 3780) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,713 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:11,729 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:11,729 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:11,729 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:11,729 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:11,729 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:11,744 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,744 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:11,744 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:11,759 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,759 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3984_20499253901128014382019
2019-08-13 23:48:11,759 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:11,759 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3576
2019-08-13 23:48:11,759 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:11,759 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:11,759 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:11,776 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:11,776 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:11,776 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:11,776 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:11,792 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,792 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:11,806 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:11,806 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3540
2019-08-13 23:48:11,806 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:11,806 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:11,822 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3320
2019-08-13 23:48:11,822 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:11,822 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:11,822 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:11,822 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:11,838 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-08-13 23:48:11,838 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:11,838 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:11,854 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:11,854 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000000E5000-0x00000000000F0000
2019-08-13 23:48:11,854 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:11,854 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:11,901 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:11,901 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:11,901 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:11,901 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:11,901 [root] INFO: Added new process to list with pid: 3576
2019-08-13 23:48:11,901 [root] DEBUG: DLL loaded at 0x72760000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2019-08-13 23:48:11,915 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:11,915 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:11,915 [root] INFO: Monitor successfully loaded in process with pid 3576.
2019-08-13 23:48:11,931 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:11,931 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2019-08-13 23:48:11,931 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:11,931 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:11,931 [root] DEBUG: GetHookCallerBase: thread 3612 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:11,931 [root] DEBUG: Loader: Injecting process 3320 (thread 3268) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:11,947 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x0000000000084000-0x0000000000180000
2019-08-13 23:48:11,947 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3876
2019-08-13 23:48:11,947 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:11,947 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:11,963 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:11,963 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:11,963 [root] INFO: Added new process to list with pid: 3540
2019-08-13 23:48:11,993 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:12,040 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:12,040 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:12,040 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,040 [root] INFO: Monitor successfully loaded in process with pid 3540.
2019-08-13 23:48:12,040 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:12,040 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:12,040 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:12,056 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:12,181 [root] DEBUG: GetHookCallerBase: thread 3780 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:12,181 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:12,181 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:12,213 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:12,213 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:12,243 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:12,243 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:12,243 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:12,243 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3576_9239106581228014382019
2019-08-13 23:48:12,243 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:12,259 [root] DEBUG: Loader: Injecting process 3876 (thread 3968) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,259 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,259 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:12,259 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:12,259 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:12,275 [root] DEBUG: Process image base: 0x000000004A870000
2019-08-13 23:48:12,275 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3320
2019-08-13 23:48:12,275 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:12,290 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,290 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:12,290 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000004A8C9000 - 0x0000000077380000
2019-08-13 23:48:12,290 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:12,290 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:12,290 [root] DEBUG: InjectDllViaIAT: Allocated 0x1bc bytes for new import table at 0x000000004A8D0000.
2019-08-13 23:48:12,305 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:12,305 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3540_2640356761228014382019
2019-08-13 23:48:12,305 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:12,305 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:12,322 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:12,322 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:12,322 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:12,322 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,338 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:12,338 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:12,338 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:12,338 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:12,338 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3876
2019-08-13 23:48:12,352 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:12,352 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:12,352 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000000A5000-0x00000000000B0000
2019-08-13 23:48:12,352 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:12,352 [root] DEBUG: DLL unloaded from 0x75530000.
2019-08-13 23:48:12,368 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:12,368 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:12,368 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:12,384 [root] INFO: Added new process to list with pid: 3320
2019-08-13 23:48:12,384 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3512
2019-08-13 23:48:12,384 [root] DEBUG: DLL unloaded from 0x72760000.
2019-08-13 23:48:12,384 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:12,400 [root] INFO: Monitor successfully loaded in process with pid 3320.
2019-08-13 23:48:12,400 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:12,400 [root] DEBUG: DLL unloaded from 0x77050000.
2019-08-13 23:48:12,400 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:12,400 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:12,415 [root] DEBUG: GetHookCallerBase: thread 3268 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:12,415 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:12,415 [root] INFO: Announced 64-bit process name: svchost.exe pid: 3924
2019-08-13 23:48:12,415 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:12,415 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:12,415 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:12,415 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:12,430 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:12,430 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:12,430 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:12,430 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:12,430 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:12,447 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:12,447 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:12,447 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:12,447 [root] DEBUG: Loader: Injecting process 3512 (thread 3744) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,447 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:12,447 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:12,461 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000004A870000, stack from 0x00000000000A4000-0x00000000001A0000
2019-08-13 23:48:12,461 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:12,461 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:12,461 [root] INFO: Added new process to list with pid: 3876
2019-08-13 23:48:12,461 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:12,461 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,461 [root] INFO: Monitor successfully loaded in process with pid 3876.
2019-08-13 23:48:12,477 [root] DEBUG: Loader: Injecting process 3924 (thread 3096) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,477 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:12,493 [root] DEBUG: Process image base: 0x00000000FF8E0000
2019-08-13 23:48:12,509 [root] DEBUG: GetHookCallerBase: thread 3968 (handle 0x0), return address 0x000000004A879099, allocation base 0x000000004A870000.
2019-08-13 23:48:12,509 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:12,509 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,509 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000004A870000 main_caller_retaddr 0x000000004A879099 parent_caller_retaddr 0x000000004A8798F3.
2019-08-13 23:48:12,509 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3320_17148355021228014382019
2019-08-13 23:48:12,509 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF8EB000 - 0x000007FEFF6A0000
2019-08-13 23:48:12,509 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:12,509 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000004A870000.
2019-08-13 23:48:12,509 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:12,525 [root] DEBUG: InjectDllViaIAT: Allocated 0x20c bytes for new import table at 0x00000000FF8F0000.
2019-08-13 23:48:12,525 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000090B4.
2019-08-13 23:48:12,525 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,525 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:12,525 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:12,525 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3512
2019-08-13 23:48:12,525 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\System32\cryptbase (0xf000 bytes).
2019-08-13 23:48:12,525 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,525 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:12,539 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:12,539 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3924
2019-08-13 23:48:12,555 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:12,555 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:12,555 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:12,555 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:12,555 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:12,572 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3876_20598018591228014382019
2019-08-13 23:48:12,572 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:12,572 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:12,572 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x54400.
2019-08-13 23:48:12,586 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:12,586 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:12,586 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x0000000000165000-0x0000000000170000
2019-08-13 23:48:12,586 [root] DEBUG: Dump-on-API: Dumped module at 0x000000004A870000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:12,586 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:12,586 [root] INFO: Added new process to list with pid: 3512
2019-08-13 23:48:12,586 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:12,618 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:12,618 [root] INFO: Monitor successfully loaded in process with pid 3512.
2019-08-13 23:48:12,634 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-08-13 23:48:12,634 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FF8E0000, stack from 0x0000000000275000-0x0000000000280000
2019-08-13 23:48:12,650 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:12,650 [root] INFO: Announced 64-bit process name: powershell.exe pid: 3272
2019-08-13 23:48:12,650 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:12,696 [root] INFO: Added new process to list with pid: 3924
2019-08-13 23:48:12,696 [root] DEBUG: GetHookCallerBase: thread 3744 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:12,696 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:12,696 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:12,696 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:12,696 [root] INFO: Monitor successfully loaded in process with pid 3924.
2019-08-13 23:48:12,727 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:12,727 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:12,727 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:12,743 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:12,743 [root] DEBUG: DLL loaded at 0x000007FEF4350000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2019-08-13 23:48:12,759 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:12,759 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:12,759 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:12,759 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:12,759 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:12,773 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:12,773 [root] DEBUG: DLL loaded at 0x000007FEF4240000: C:\Windows\system32\webio (0x64000 bytes).
2019-08-13 23:48:12,884 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:12,884 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:12,884 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:12,884 [root] DEBUG: Loader: Injecting process 3272 (thread 3620) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,898 [root] DEBUG: Process image base: 0x000000013F450000
2019-08-13 23:48:12,914 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:12,914 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:12,946 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3512_16900529761228014382019
2019-08-13 23:48:12,976 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013F4C7000 - 0x000007FEFF6A0000
2019-08-13 23:48:12,993 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:12,993 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:13,007 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4FWZHXPAMGXOCI3VO88D.temp'
2019-08-13 23:48:13,007 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013F4D0000.
2019-08-13 23:48:13,007 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:13,007 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4FWZHXPAMGXOCI3VO88D.temp'
2019-08-13 23:48:13,023 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 23:48:13,023 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:13,039 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:13,039 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:13,039 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-08-13 23:48:13,039 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3272
2019-08-13 23:48:13,039 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:13,039 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\4FWZHXPAMGXOCI3VO88D.temp'
2019-08-13 23:48:13,055 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:13,055 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:13,055 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:13,055 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP'
2019-08-13 23:48:13,055 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:13,071 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:13,071 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:13,071 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:13,071 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:13,085 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp" does not exist, skip.
2019-08-13 23:48:13,085 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:13,101 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:13,101 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:13,101 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:13,118 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-08-13 23:48:13,118 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:13,118 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:13,118 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2019-08-13 23:48:13,118 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x000000013F450000, stack from 0x00000000001C5000-0x00000000001D0000
2019-08-13 23:48:13,132 [root] INFO: Notified of termination of process with pid 2936.
2019-08-13 23:48:13,132 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:13,132 [root] INFO: Added new process to list with pid: 3272
2019-08-13 23:48:13,148 [root] INFO: Monitor successfully loaded in process with pid 3272.
2019-08-13 23:48:13,148 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:13,148 [root] DEBUG: DLL loaded at 0x000007FEFCCB0000: C:\Windows\system32\bcrypt (0x22000 bytes).
2019-08-13 23:48:13,180 [root] DEBUG: GetHookCallerBase: thread 3620 (handle 0x0), return address 0x000000013F45C7D9, allocation base 0x000000013F450000.
2019-08-13 23:48:13,196 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:13,196 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:13,196 [root] DEBUG: Dump-on-API: GetHookCallerBase 0x000000013F450000 main_caller_retaddr 0x000000013F45C7D9 parent_caller_retaddr 0x000000013F45C453.
2019-08-13 23:48:13,226 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000000013F450000.
2019-08-13 23:48:13,226 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:13,226 [root] DEBUG: DLL loaded at 0x000007FEFCCE0000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2019-08-13 23:48:13,273 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000C63C.
2019-08-13 23:48:13,289 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:13,289 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-08-13 23:48:13,305 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-08-13 23:48:13,305 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:13,335 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-08-13 23:48:13,351 [root] INFO: Added new CAPE file to list with path: C:\dpatymp\CAPE\3272_16729407281328014382019
2019-08-13 23:48:13,367 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x73e00.
2019-08-13 23:48:13,367 [root] DEBUG: Dump-on-API: Dumped module at 0x000000013F450000 due to SetUnhandledExceptionFilter call.
2019-08-13 23:48:13,367 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:13,367 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:13,367 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp" does not exist, skip.
2019-08-13 23:48:13,382 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-08-13 23:48:13,382 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:13,382 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-08-13 23:48:13,398 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:13,398 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2019-08-13 23:48:13,444 [root] INFO: Process with pid 2936 has terminated
2019-08-13 23:48:13,444 [root] INFO: Process with pid 2344 has terminated
2019-08-13 23:48:13,492 [root] DEBUG: DLL loaded at 0x000007FEFBD70000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-08-13 23:48:13,507 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-08-13 23:48:13,507 [root] DEBUG: DLL loaded at 0x000007FEFB1A0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-08-13 23:48:13,523 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-08-13 23:48:13,539 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-08-13 23:48:13,539 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:13,553 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-08-13 23:48:13,553 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:13,553 [root] DEBUG: DLL loaded at 0x000007FEFB190000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-08-13 23:48:13,553 [root] INFO: Notified of termination of process with pid 2608.
2019-08-13 23:48:13,553 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-08-13 23:48:13,569 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-08-13 23:48:13,601 [root] DEBUG: DLL loaded at 0x000007FEFE710000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-08-13 23:48:13,601 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:13,601 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:13,617 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-08-13 23:48:13,617 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-08-13 23:48:13,617 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:13,756 [root] DEBUG: DLL unloaded from 0x74720000.
2019-08-13 23:48:13,756 [root] DEBUG: DLL unloaded from 0x75700000.
2019-08-13 23:48:13,756 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-08-13 23:48:13,803 [root] INFO: Notified of termination of process with pid 2284.
2019-08-13 23:48:13,990 [root] DEBUG: DLL loaded at 0x000007FEF7A60000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-08-13 23:48:14,022 [root] DEBUG: DLL loaded at 0x000007FEF8540000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-08-13 23:48:14,038 [root] DEBUG: DLL loaded at 0x000007FEFCDE0000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-08-13 23:48:14,381 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:14,381 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:14,474 [root] INFO: Process with pid 2608 has terminated
2019-08-13 23:48:14,490 [root] INFO: Process with pid 2284 has terminated
2019-08-13 23:48:14,552 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:14,568 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:14,615 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7WV021LSWL1TA5T22FZ4.temp'
2019-08-13 23:48:14,631 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7WV021LSWL1TA5T22FZ4.temp'
2019-08-13 23:48:14,645 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:14,645 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7WV021LSWL1TA5T22FZ4.temp'
2019-08-13 23:48:14,661 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP'
2019-08-13 23:48:14,677 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:14,677 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp" does not exist, skip.
2019-08-13 23:48:14,865 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:14,865 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:15,177 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:15,191 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp" does not exist, skip.
2019-08-13 23:48:15,207 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:15,223 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:15,380 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:15,394 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:15,473 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\00URLMQA9IJM8JOOXBI9.temp'
2019-08-13 23:48:15,489 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\00URLMQA9IJM8JOOXBI9.temp'
2019-08-13 23:48:15,489 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:15,503 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\00URLMQA9IJM8JOOXBI9.temp'
2019-08-13 23:48:15,519 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP'
2019-08-13 23:48:15,536 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:15,551 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp" does not exist, skip.
2019-08-13 23:48:15,566 [root] INFO: Process with pid 1460 has terminated
2019-08-13 23:48:15,566 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:15,582 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp" does not exist, skip.
2019-08-13 23:48:15,598 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:15,614 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:16,346 [root] INFO: Stopped Task Scheduler Service
2019-08-13 23:48:16,378 [root] INFO: Started Task Scheduler Service
2019-08-13 23:48:16,408 [lib.api.process] INFO: Option 'dump-on-api' with value 'SetUnhandledExceptionFilter' sent to monitor
2019-08-13 23:48:16,408 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-08-13 23:48:16,424 [lib.api.process] INFO: 64-bit DLL to inject is C:\dpatymp\dll\Fpgcxsg.dll, loader C:\dpatymp\bin\oSELUoUJ.exe
2019-08-13 23:48:16,440 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PyxZcn.
2019-08-13 23:48:16,456 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:16,456 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-08-13 23:48:16,471 [root] DEBUG: CAPE debug - unrecognised key terminate-processes.
2019-08-13 23:48:16,486 [root] DEBUG: Added 'SetUnhandledExceptionFilter' to dump-on-API list.
2019-08-13 23:48:16,503 [root] DEBUG: Process memory dumps disabled.
2019-08-13 23:48:16,503 [root] INFO: Disabling sleep skipping.
2019-08-13 23:48:16,533 [root] DEBUG: CAPE initialised: 64-bit DumpOnAPI package loaded at 0x0000000074470000, process image base 0x00000000FF8E0000, stack from 0x0000000001846000-0x0000000001850000
2019-08-13 23:48:16,549 [root] INFO: Added new process to list with pid: 816
2019-08-13 23:48:16,549 [root] INFO: Monitor successfully loaded in process with pid 816.
2019-08-13 23:48:16,549 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-08-13 23:48:16,565 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-08-13 23:48:16,581 [root] DEBUG: Successfully injected DLL C:\dpatymp\dll\Fpgcxsg.dll.
2019-08-13 23:48:16,736 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:16,752 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:16,892 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:16,892 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:17,002 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:17,049 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:17,063 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:17,095 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KH98NF2RZT5WSR1I6TTJ.temp'
2019-08-13 23:48:17,111 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KH98NF2RZT5WSR1I6TTJ.temp'
2019-08-13 23:48:17,111 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:17,111 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\KH98NF2RZT5WSR1I6TTJ.temp'
2019-08-13 23:48:17,127 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP'
2019-08-13 23:48:17,127 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:17,141 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp" does not exist, skip.
2019-08-13 23:48:17,174 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:17,188 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:17,204 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:17,204 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp" does not exist, skip.
2019-08-13 23:48:17,204 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:17,220 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C5CNXL2RV67SIHM2WHXP.temp'
2019-08-13 23:48:17,220 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:17,220 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C5CNXL2RV67SIHM2WHXP.temp'
2019-08-13 23:48:17,236 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:17,252 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:17,266 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C5CNXL2RV67SIHM2WHXP.temp'
2019-08-13 23:48:17,266 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:17,282 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP'
2019-08-13 23:48:17,298 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:17,298 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp" does not exist, skip.
2019-08-13 23:48:17,313 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:17,375 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:17,375 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:17,391 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:17,407 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp" does not exist, skip.
2019-08-13 23:48:17,407 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:17,423 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\615SRXKF4A41J5OI6IZH.temp'
2019-08-13 23:48:17,423 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:17,423 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\615SRXKF4A41J5OI6IZH.temp'
2019-08-13 23:48:17,423 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:17,438 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\615SRXKF4A41J5OI6IZH.temp'
2019-08-13 23:48:17,470 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP'
2019-08-13 23:48:17,486 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:17,486 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp" does not exist, skip.
2019-08-13 23:48:17,486 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:17,500 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:17,595 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:17,595 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:17,703 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:17,703 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp" does not exist, skip.
2019-08-13 23:48:17,703 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:17,720 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:17,750 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:17,766 [root] INFO: Notified of termination of process with pid 3804.
2019-08-13 23:48:17,812 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:17,828 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:17,828 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:17,828 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:17,891 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\2K4ZAUULGYCREHU3A7GI.temp'
2019-08-13 23:48:17,891 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\2K4ZAUULGYCREHU3A7GI.temp'
2019-08-13 23:48:17,907 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:17,907 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\2K4ZAUULGYCREHU3A7GI.temp'
2019-08-13 23:48:17,921 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP'
2019-08-13 23:48:17,921 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:17,937 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp" does not exist, skip.
2019-08-13 23:48:18,032 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:18,032 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:18,032 [root] INFO: Notified of termination of process with pid 2072.
2019-08-13 23:48:18,078 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:18,109 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp" does not exist, skip.
2019-08-13 23:48:18,109 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:18,109 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:18,109 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:18,155 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:18,266 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:18,280 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:18,312 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:18,328 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:18,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\051CVCIDZ81FLK2NHLUB.temp'
2019-08-13 23:48:18,358 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\051CVCIDZ81FLK2NHLUB.temp'
2019-08-13 23:48:18,375 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:18,375 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\051CVCIDZ81FLK2NHLUB.temp'
2019-08-13 23:48:18,390 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP'
2019-08-13 23:48:18,390 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:18,390 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:18,405 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp" does not exist, skip.
2019-08-13 23:48:18,405 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:18,421 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:18,437 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp" does not exist, skip.
2019-08-13 23:48:18,453 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:18,453 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\D68PTUSWPES1UVR1TALK.temp'
2019-08-13 23:48:18,453 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:18,500 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\D68PTUSWPES1UVR1TALK.temp'
2019-08-13 23:48:18,515 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:18,530 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:18,530 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:18,530 [root] DEBUG: DLL loaded at 0x000007FEF8EC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-08-13 23:48:18,546 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\D68PTUSWPES1UVR1TALK.temp'
2019-08-13 23:48:18,562 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP'
2019-08-13 23:48:18,562 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:18,578 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:18,578 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:18,578 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp" does not exist, skip.
2019-08-13 23:48:18,608 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-08-13 23:48:18,624 [root] DEBUG: DLL loaded at 0x000007FEFB3D0000: C:\Windows\system32\taskschd (0x127000 bytes).
2019-08-13 23:48:18,655 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:18,671 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp" does not exist, skip.
2019-08-13 23:48:18,671 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:18,687 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:18,687 [root] INFO: Process with pid 2072 has terminated
2019-08-13 23:48:18,701 [root] INFO: Process with pid 2636 has terminated
2019-08-13 23:48:18,701 [root] INFO: Process with pid 3804 has terminated
2019-08-13 23:48:18,701 [root] INFO: Process with pid 2528 has terminated
2019-08-13 23:48:18,733 [root] INFO: Process with pid 3576 has terminated
2019-08-13 23:48:18,733 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:18,733 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:18,749 [root] INFO: Notified of termination of process with pid 3352.
2019-08-13 23:48:18,749 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:18,779 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\FIK6WUHICL2RWRB30W8D.temp'
2019-08-13 23:48:18,796 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:18,796 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\FIK6WUHICL2RWRB30W8D.temp'
2019-08-13 23:48:18,812 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:18,812 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:18,874 [root] DEBUG: DLL loaded at 0x000007FEFB320000: C:\Windows\system32\slc (0xb000 bytes).
2019-08-13 23:48:18,874 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\FIK6WUHICL2RWRB30W8D.temp'
2019-08-13 23:48:18,936 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-08-13 23:48:18,951 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-08-13 23:48:18,951 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP'
2019-08-13 23:48:18,967 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:18,999 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp" does not exist, skip.
2019-08-13 23:48:19,013 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ES35ME0QQSFAHQPO7E3K.temp'
2019-08-13 23:48:19,029 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ES35ME0QQSFAHQPO7E3K.temp'
2019-08-13 23:48:19,061 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2019-08-13 23:48:19,092 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:19,108 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:19,108 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ES35ME0QQSFAHQPO7E3K.temp'
2019-08-13 23:48:19,124 [root] INFO: Notified of termination of process with pid 1548.
2019-08-13 23:48:19,154 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP'
2019-08-13 23:48:19,170 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:19,186 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms'
2019-08-13 23:48:19,201 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp" does not exist, skip.
2019-08-13 23:48:19,201 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp" does not exist, skip.
2019-08-13 23:48:19,233 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:19,247 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:19,263 [root] DEBUG: DLL loaded at 0x000007FEF3FA0000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-08-13 23:48:19,404 [root] WARNING: File at path "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp" does not exist, skip.
2019-08-13 23:48:19,436 [root] DEBUG: DLL loaded at 0x000007FEF2270000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-08-13 23:48:19,482 [root] DEBUG: DLL loaded at 0x00000000743A0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-08-13 23:48:19,763 [root] INFO: Process with pid 1548 has terminated
2019-08-13 23:48:19,779 [root] INFO: Process with pid 2008 has terminated
2019-08-13 23:48:19,793 [root] INFO: Process with pid 3352 has terminated
2019-08-13 23:48:20,168 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:20,168 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:20,200 [root] INFO: Notified of termination of process with pid 2180.
2019-08-13 23:48:20,762 [root] DEBUG: DLL unloaded from 0x000007FEFB3D0000.
2019-08-13 23:48:20,776 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:20,792 [root] INFO: Notified of termination of process with pid 3924.
2019-08-13 23:48:20,823 [root] INFO: Process with pid 2180 has terminated
2019-08-13 23:48:20,855 [root] INFO: Process with pid 3924 has terminated
2019-08-13 23:48:21,230 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:21,230 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:21,230 [root] INFO: Notified of termination of process with pid 828.
2019-08-13 23:48:21,884 [root] INFO: Process with pid 828 has terminated
2019-08-13 23:48:21,900 [root] INFO: Process with pid 1412 has terminated
2019-08-13 23:48:22,259 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:22,275 [root] INFO: Notified of termination of process with pid 580.
2019-08-13 23:48:22,275 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:22,960 [root] INFO: Process with pid 2024 has terminated
2019-08-13 23:48:22,960 [root] INFO: Process with pid 580 has terminated
2019-08-13 23:48:22,976 [root] INFO: Process with pid 2248 has terminated
2019-08-13 23:48:23,303 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:23,319 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:23,319 [root] INFO: Notified of termination of process with pid 2068.
2019-08-13 23:48:24,006 [root] INFO: Process with pid 2068 has terminated
2019-08-13 23:48:24,006 [root] INFO: Process with pid 3040 has terminated
2019-08-13 23:48:24,334 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:24,349 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:24,349 [root] INFO: Notified of termination of process with pid 3008.
2019-08-13 23:48:25,052 [root] INFO: Process with pid 3008 has terminated
2019-08-13 23:48:25,364 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:25,378 [root] INFO: Notified of termination of process with pid 2760.
2019-08-13 23:48:26,081 [root] INFO: Process with pid 2760 has terminated
2019-08-13 23:48:26,081 [root] INFO: Process with pid 2616 has terminated
2019-08-13 23:48:26,424 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:27,111 [root] INFO: Process with pid 1192 has terminated
2019-08-13 23:48:27,453 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:27,453 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:27,470 [root] INFO: Notified of termination of process with pid 3876.
2019-08-13 23:48:28,155 [root] INFO: Process with pid 3876 has terminated
2019-08-13 23:48:28,171 [root] INFO: Process with pid 3272 has terminated
2019-08-13 23:48:28,499 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:28,515 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:28,515 [root] INFO: Notified of termination of process with pid 3176.
2019-08-13 23:48:29,200 [root] INFO: Process with pid 3176 has terminated
2019-08-13 23:48:29,217 [root] INFO: Process with pid 3300 has terminated
2019-08-13 23:48:29,559 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:29,591 [root] INFO: Notified of termination of process with pid 3984.
2019-08-13 23:48:29,591 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:29,934 [root] DEBUG: DLL unloaded from 0x000007FEFBAC0000.
2019-08-13 23:48:30,339 [root] INFO: Process with pid 3984 has terminated
2019-08-13 23:48:30,371 [root] INFO: Process with pid 3320 has terminated
2019-08-13 23:48:30,651 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:30,667 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:30,683 [root] INFO: Notified of termination of process with pid 3540.
2019-08-13 23:48:31,431 [root] INFO: Process with pid 3540 has terminated
2019-08-13 23:48:31,713 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:31,743 [root] INFO: Notified of termination of process with pid 2920.
2019-08-13 23:48:31,743 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:32,461 [root] INFO: Process with pid 2920 has terminated
2019-08-13 23:48:32,476 [root] INFO: Process with pid 3512 has terminated
2019-08-13 23:48:32,789 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:32,805 [root] INFO: Notified of termination of process with pid 3452.
2019-08-13 23:48:32,805 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:33,506 [root] INFO: Process with pid 3452 has terminated
2019-08-13 23:48:33,522 [root] INFO: Process with pid 4064 has terminated
2019-08-13 23:48:33,865 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:33,881 [root] INFO: Notified of termination of process with pid 2696.
2019-08-13 23:48:33,881 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-08-13 23:48:34,552 [root] INFO: Process with pid 2696 has terminated
2019-08-13 23:48:34,568 [root] INFO: Process with pid 3304 has terminated
2019-08-13 23:48:34,582 [root] INFO: Process with pid 3664 has terminated
2019-08-13 23:48:34,941 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-08-13 23:48:34,973 [root] INFO: Notified of termination of process with pid 1248.
2019-08-13 23:48:35,596 [root] INFO: Process with pid 1248 has terminated
2019-08-13 23:48:36,627 [root] INFO: Process with pid 3700 has terminated
2019-08-13 23:51:24,950 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 23:51:24,950 [root] INFO: Created shutdown mutex.
2019-08-13 23:51:25,980 [root] INFO: Shutting down package.
2019-08-13 23:51:25,980 [root] INFO: Stopping auxiliary modules.
2019-08-13 23:51:25,996 [root] INFO: Finishing auxiliary modules.
2019-08-13 23:51:25,996 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 23:51:26,012 [root] WARNING: File at path "C:\osCHmo\debugger" does not exist, skip.
2019-08-13 23:51:26,012 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-08-13 22:47:58 2019-08-13 22:51:42

File Details

File Name 7914d86e352c6d4681629dd737dc51c5df30d1e3cb2da4acdb8b019ac8f60ceb
File Size 677142 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 589200c0cc7b9ee82f3dc564a0128945
SHA1 526cd1acdd5b96fa059e99b236da89183fb69c23
SHA256 7914d86e352c6d4681629dd737dc51c5df30d1e3cb2da4acdb8b019ac8f60ceb
SHA512 12c16d8d547fcb6296f70d1e8faffa7d9a464c537d7cf36e91d74f4a49ef5e5e0b8e58846dc1bc96515497c8e23ff89dc34e8b450132d0974907a62aca93fe69
CRC32 342809D0
Ssdeep 12288:gSqiDKCiueQ5qVdlf49wOK6BGfLZu54oFBsM0Nb:gSxriueQ5wEw6BGDZGeM0Nb
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X50CSNQ7BVAPD5OGLBXA.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB1A0SILKRZ6QYVMR59H.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Possible date expiration check, exits too soon after checking local time
process: cmd.exe, PID 832
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI06RC9QYAI5D04ZK0LL.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EL8UGNF6Y7NA8JA1N0MZ.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1LF1X8W6HCH7KCB13TR.temp
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP
DeletedFile: C:\Windows\Tasks\SpeedLan.job
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: CRYPT32.dll/CryptProtectData
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: comctl32.dll/
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorControl
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
A process created a hidden window
Process: xhRSI8L8Kam.exe -> C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
Process: ропрУВаЫсен.exe -> cmd.exe
A scripting utility was executed
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: powershell Set-MpPreference -DisableIOAVProtection $true
command: powershell Set-MpPreference -DisablePrivacyMode $true
command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: powershell Set-MpPreference -SevereThreatDefaultAction 6
command: powershell Set-MpPreference -LowThreatDefaultAction 6
command: powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: powershell Set-MpPreference -DisableScriptScanning $true
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: cmd.exe /c sc stop WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: cmd.exe /c sc delete WinDefend
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
command: cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
command: cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
command: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
command: cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
command: sc stop WinDefend
command: sc delete WinDefend
Attempts to stop active services
servicename: WinDefend
Spoofs its process name and/or associated pathname to appear as a legitimate process
original_path: C:\Windows\system32\svchost.exe
original_name: svchost.exe
modified_name: svchost.exe
modified_path: C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP
Creates a copy of itself
copy: C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
copy: C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
Attempts to disable Windows Defender

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\xhRSI8L8Kam.exe
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
\??\MountPointManager
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\ProgramData\*
C:\Users\user\AppData\Roaming\syslink
C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\sc.*
C:\Users\user\AppData\Local\Temp\sc
C:\Windows\sysnative\sc.*
C:\Windows\sysnative\sc.COM
C:\Windows\sysnative\sc.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\powershell.*
C:\Users\user\AppData\Local\Temp\powershell
C:\Windows\sysnative\powershell.*
C:\Windows\sysnative\powershell
C:\Windows\powershell.*
C:\Windows\powershell
C:\Windows\sysnative\wbem\powershell.*
C:\Windows\sysnative\wbem\powershell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.COM
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
::\
::\{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
::\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::\{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
::\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\user\Desktop
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\DosDevices\pipe\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\
C:\Windows\sysnative\windowspowershell\v1.0\powershell_ise.exe
C:\Windows\sysnative\windowspowershell
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\
C:\Windows\hh.exe
C:\Windows\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP
C:\Windows\sysnative\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.Local\
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI06RC9QYAI5D04ZK0LL.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X50CSNQ7BVAPD5OGLBXA.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EL8UGNF6Y7NA8JA1N0MZ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP
C:\Users\user\AppData\Roaming\syslink\sc.*
C:\Users\user\AppData\Roaming\syslink\sc
C:\Users\user\AppData\Roaming\syslink\powershell.*
C:\Users\user\AppData\Roaming\syslink\powershell
C:\Users\user\AppData\Roaming\syslink\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1LF1X8W6HCH7KCB13TR.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB1A0SILKRZ6QYVMR59H.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP
C:\Users\user\AppData\Roaming\syslink\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\Microsoft
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform
C:\Windows\sysnative\Tasks\WPD
C:\Windows\sysnative\Tasks\Microsoft\*
C:\Windows\sysnative\Tasks\Microsoft\Windows
C:\Windows\sysnative\Tasks\Microsoft\Windows Defender
C:\Windows\sysnative\Tasks\Microsoft\Windows\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetworkAccessProtection
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform
C:\Windows\sysnative\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\PolicyConverter
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\AitAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk\Proxy
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\SystemTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis\Scheduled
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location\Notifications
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance\WinSAT
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ehDRMInit
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\InstallPlayReady
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\mcupdate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURActivate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURDiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RecordingRestart
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RegisterSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\Extender
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\Extender\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC\HotStart
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI\LPRemove
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetworkAccessProtection\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Background Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Logon Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA\System
C:\Windows\sysnative\Tasks\Microsoft\Windows\PLA\System\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC\RacTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras\MobilityManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry\RegIdleBackup
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControls
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\AutoWake
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\GadgetManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SessionAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SystemDataProviders
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\SyncCenter\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore\SR
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager\Interactive
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict2
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service\HiveUploadTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup\ConfigNotification
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem\*
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader
C:\Windows\sysnative\Tasks\Microsoft\Windows Defender\*
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\*
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\WPD\*
C:\Windows\Tasks\SpeedLan.job
C:\Windows\sysnative\Tasks\SpeedLan
C:\Windows\sysnative\Tasks\
C:\Users\user\AppData\Local\Temp\xhRSI8L8Kam.exe
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Crypto
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData
C:\ProgramData\Microsoft\desktop.ini
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
\??\PIPE\srvsvc
C:\Windows
C:\Windows\sysnative
C:\Windows\sysnative\WindowsPowerShell
C:\Windows\sysnative\WindowsPowerShell\v1.0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI06RC9QYAI5D04ZK0LL.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X50CSNQ7BVAPD5OGLBXA.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EL8UGNF6Y7NA8JA1N0MZ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp
C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp
C:\Users\user\AppData\Roaming\syslink\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1LF1X8W6HCH7KCB13TR.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB1A0SILKRZ6QYVMR59H.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
C:\Windows\sysnative\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\PolicyConverter
C:\Windows\sysnative\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\AitAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater
C:\Windows\sysnative\Tasks\Microsoft\Windows\Autochk\Proxy
C:\Windows\sysnative\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\SystemTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
C:\Windows\sysnative\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag
C:\Windows\sysnative\Tasks\Microsoft\Windows\Diagnosis\Scheduled
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
C:\Windows\sysnative\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
C:\Windows\sysnative\Tasks\Microsoft\Windows\Location\Notifications
C:\Windows\sysnative\Tasks\Microsoft\Windows\Maintenance\WinSAT
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ehDRMInit
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\InstallPlayReady
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\mcupdate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURActivate
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\OCURDiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscovery
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RecordingRestart
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\RegisterSearch
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
C:\Windows\sysnative\Tasks\Microsoft\Windows\MobilePC\HotStart
C:\Windows\sysnative\Tasks\Microsoft\Windows\MUI\LPRemove
C:\Windows\sysnative\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
C:\Windows\sysnative\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Background Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\Offline Files\Logon Synchronization
C:\Windows\sysnative\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
C:\Windows\sysnative\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
C:\Windows\sysnative\Tasks\Microsoft\Windows\RAC\RacTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Ras\MobilityManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\Registry\RegIdleBackup
C:\Windows\sysnative\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControls
C:\Windows\sysnative\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\AutoWake
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\GadgetManager
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SessionAgent
C:\Windows\sysnative\Tasks\Microsoft\Windows\SideShow\SystemDataProviders
C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\SystemRestore\SR
C:\Windows\sysnative\Tasks\Microsoft\Windows\Task Manager\Interactive
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict1
C:\Windows\sysnative\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict2
C:\Windows\sysnative\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
C:\Windows\sysnative\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime
C:\Windows\sysnative\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig
C:\Windows\sysnative\Tasks\Microsoft\Windows\User Profile Service\HiveUploadTask
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
C:\Windows\sysnative\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsBackup\ConfigNotification
C:\Windows\sysnative\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader
C:\Windows\sysnative\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
C:\Windows\sysnative\Tasks\SpeedLan
C:\ProgramData\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-120665959-548228820-2376508522-1001\f58155b4b1d5a524ca0261c3ee99fb50_fb20aa52-1ec9-4d1f-b923-f6709499e604
C:\Users\user\AppData\Roaming\syslink\\xd1\x80\xd0\xbe\xd0\xbf\xd1\x80\xd0\xa3\xd0\x92\xd0\xb0\xd0\xab\xd1\x81\xd0\xb5\xd0\xbd.exe
C:\Users\user\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
\??\PIPE\srvsvc
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJA1ZE0X0KTJ9ZOGCPAP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVEHJ6CD8WYU644TVRMC.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI06RC9QYAI5D04ZK0LL.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X50CSNQ7BVAPD5OGLBXA.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EL8UGNF6Y7NA8JA1N0MZ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\653YFRECRPC3YC5HN16B.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G5O0U5TU7T3758SDE5KV.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WV021LSWL1TA5T22FZ4.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00URLMQA9IJM8JOOXBI9.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWZHXPAMGXOCI3VO88D.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP
C:\Users\user\AppData\Roaming\syslink\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5CNXL2RV67SIHM2WHXP.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH98NF2RZT5WSR1I6TTJ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1LF1X8W6HCH7KCB13TR.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\615SRXKF4A41J5OI6IZH.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIK6WUHICL2RWRB30W8D.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2K4ZAUULGYCREHU3A7GI.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D68PTUSWPES1UVR1TALK.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB1A0SILKRZ6QYVMR59H.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\051CVCIDZ81FLK2NHLUB.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ES35ME0QQSFAHQPO7E3K.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fdcf.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF85fcc6.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI06RC9QYAI5D04ZK0LL.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X50CSNQ7BVAPD5OGLBXA.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EL8UGNF6Y7NA8JA1N0MZ.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF860290.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF939b26.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861796.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861af0.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF861140.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8621b4.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862137.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1LF1X8W6HCH7KCB13TR.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86227f.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF86280a.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862453.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8626d2.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB1A0SILKRZ6QYVMR59H.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF862627.TMP
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8628f4.TMP
C:\Windows\Tasks\SpeedLan.job
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\xhRSI8L8Kam.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\Preference
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\???????????.exe
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_CLASSES_ROOT\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\UserChoice
HKEY_CLASSES_ROOT\lnkfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_CLASSES_ROOT\SystemFileAssociations\.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_CLASSES_ROOT\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_CLASSES_ROOT\Applications\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NormalizeLinkNetPidls
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.NamespaceCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 6
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\svchost.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetworkAccessProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetworkAccessProtection\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteApp and Desktop Connections Update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SyncCenter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}\Triggers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\GMT Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\PolicyConverter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\PolicyConverter\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\ProgramDataUpdater
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\ProgramDataUpdater\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Proxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Proxy\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\UninstallDeviceTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\UninstallDeviceTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\SystemTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\SystemTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask-Roam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask-Roam\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Consolidator\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\ScheduledDefrag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\ScheduledDefrag\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Scheduled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Scheduled\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Notifications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Notifications\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinSAT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinSAT\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}\Triggers
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\A9A33436-678B-4c9c-A211-7CC38785E79D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ActivateWindowsSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ActivateWindowsSearch\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ConfigureInternetTimeService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ConfigureInternetTimeService\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\DispatchRecoveryTasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\DispatchRecoveryTasks\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ehDRMInit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ehDRMInit\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\InstallPlayReady
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\InstallPlayReady\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\mcupdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\mcupdate\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\MediaCenterRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\MediaCenterRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURActivate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURActivate\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURDiscovery
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURDiscovery\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscovery
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscovery\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW1\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW2\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PeriodicScanRetry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PeriodicScanRetry\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrScheduleTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrScheduleTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RecordingRestart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RecordingRestart\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RegisterSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\RegisterSearch\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ReindexSearchRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ReindexSearchRoot\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\SqlLiteRecoveryTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\SqlLiteRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\UpdateRecordPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\UpdateRecordPath\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D275FD88-B8FD-400B-A59D-FE59BC3D8372}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D275FD88-B8FD-400B-A59D-FE59BC3D8372}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D275FD88-B8FD-400B-A59D-FE59BC3D8372}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50CC8649-FED6-4905-831D-D8034ED04B4A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50CC8649-FED6-4905-831D-D8034ED04B4A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50CC8649-FED6-4905-831D-D8034ED04B4A}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{515C8891-3D60-45E9-98D5-4100057BF1D6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{515C8891-3D60-45E9-98D5-4100057BF1D6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{515C8891-3D60-45E9-98D5-4100057BF1D6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FB82A65-88A8-46D2-B0CE-876FFD40EBC6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FB82A65-88A8-46D2-B0CE-876FFD40EBC6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FB82A65-88A8-46D2-B0CE-876FFD40EBC6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8723428B-C5A3-420F-9DB1-6AB50BFE60F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8723428B-C5A3-420F-9DB1-6AB50BFE60F1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8723428B-C5A3-420F-9DB1-6AB50BFE60F1}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A2D7569-4321-42C4-B9CB-6ED3D330366D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A2D7569-4321-42C4-B9CB-6ED3D330366D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A2D7569-4321-42C4-B9CB-6ED3D330366D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3286C51D-9BA8-4AD8-9959-637B24FA1966}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3286C51D-9BA8-4AD8-9959-637B24FA1966}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3286C51D-9BA8-4AD8-9959-637B24FA1966}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04BA3E5-D533-4984-9DE2-23D411C5F7CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04BA3E5-D533-4984-9DE2-23D411C5F7CA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04BA3E5-D533-4984-9DE2-23D411C5F7CA}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ABF115F-7CE9-4625-B13E-FF36C231B30C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ABF115F-7CE9-4625-B13E-FF36C231B30C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ABF115F-7CE9-4625-B13E-FF36C231B30C}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE71F1B1-5712-4BAF-B188-DBB8703B1012}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE71F1B1-5712-4BAF-B188-DBB8703B1012}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE71F1B1-5712-4BAF-B188-DBB8703B1012}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{657D0ED1-E475-462D-B688-CA0086EAB1AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{657D0ED1-E475-462D-B688-CA0086EAB1AC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{657D0ED1-E475-462D-B688-CA0086EAB1AC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404710DE-5446-4B74-AF37-97D85849362F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404710DE-5446-4B74-AF37-97D85849362F}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404710DE-5446-4B74-AF37-97D85849362F}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F0BD7C0-350C-4F75-92A3-104A10922F80}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F0BD7C0-350C-4F75-92A3-104A10922F80}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F0BD7C0-350C-4F75-92A3-104A10922F80}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCBAD3E-188B-4170-9F99-D18C3501678A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCBAD3E-188B-4170-9F99-D18C3501678A}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCBAD3E-188B-4170-9F99-D18C3501678A}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B0F1F6D-C1A2-48A2-AC36-81047F360A83}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B0F1F6D-C1A2-48A2-AC36-81047F360A83}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B0F1F6D-C1A2-48A2-AC36-81047F360A83}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4B8EA3E-232D-48D6-9BF8-D34E912E6F0F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4B8EA3E-232D-48D6-9BF8-D34E912E6F0F}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4B8EA3E-232D-48D6-9BF8-D34E912E6F0F}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53DC79F-5ADC-49B4-A320-8E7AEE3577A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53DC79F-5ADC-49B4-A320-8E7AEE3577A9}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53DC79F-5ADC-49B4-A320-8E7AEE3577A9}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67EC7E74-D876-4298-A252-395A551BD437}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67EC7E74-D876-4298-A252-395A551BD437}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67EC7E74-D876-4298-A252-395A551BD437}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77DCC58C-F940-4DC4-AC48-48B9FED91614}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77DCC58C-F940-4DC4-AC48-48B9FED91614}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77DCC58C-F940-4DC4-AC48-48B9FED91614}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5B22AD-C69B-445B-A290-62E4409F926C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5B22AD-C69B-445B-A290-62E4409F926C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5B22AD-C69B-445B-A290-62E4409F926C}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B38CC0-2DC9-4A2F-8F04-8AC4842F7BC7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B38CC0-2DC9-4A2F-8F04-8AC4842F7BC7}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B38CC0-2DC9-4A2F-8F04-8AC4842F7BC7}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\Extender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\HotStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\HotStart\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BD8AFF9-E621-47AC-B67C-D75CF67AF053}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BD8AFF9-E621-47AC-B67C-D75CF67AF053}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BD8AFF9-E621-47AC-B67C-D75CF67AF053}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\LPRemove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\LPRemove\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB02381F-D652-4B1C-894A-712498C62C51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB02381F-D652-4B1C-894A-712498C62C51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB02381F-D652-4B1C-894A-712498C62C51}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SystemSoundsService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SystemSoundsService\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2470470F-2634-478E-B181-571E98A789BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2470470F-2634-478E-B181-571E98A789BB}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2470470F-2634-478E-B181-571E98A789BB}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\GatherNetworkInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\GatherNetworkInfo\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81540B9F-B5BF-47EB-9C95-BE195BF2C664}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81540B9F-B5BF-47EB-9C95-BE195BF2C664}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81540B9F-B5BF-47EB-9C95-BE195BF2C664}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Background Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Background Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Logon Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Logon Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B4B3398-654B-4215-9DC9-71F37F6D3437}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B4B3398-654B-4215-9DC9-71F37F6D3437}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B4B3398-654B-4215-9DC9-71F37F6D3437}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F1EA04-53D9-4650-912F-498A9C207F1B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F1EA04-53D9-4650-912F-498A9C207F1B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23F1EA04-53D9-4650-912F-498A9C207F1B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0CBAB43-44FC-469B-A4CE-87426761FDCE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0CBAB43-44FC-469B-A4CE-87426761FDCE}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0CBAB43-44FC-469B-A4CE-87426761FDCE}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\System\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB3C354D-297A-4EB2-9B58-090F6361906B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB3C354D-297A-4EB2-9B58-090F6361906B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB3C354D-297A-4EB2-9B58-090F6361906B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\RacTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\RacTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EACA24FF-236C-401D-A1E7-B3D5267B8A50}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EACA24FF-236C-401D-A1E7-B3D5267B8A50}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EACA24FF-236C-401D-A1E7-B3D5267B8A50}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\MobilityManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\MobilityManager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC668097-4D6B-4093-AC14-014C09DBF820}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC668097-4D6B-4093-AC14-014C09DBF820}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC668097-4D6B-4093-AC14-014C09DBF820}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\RegIdleBackup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\RegIdleBackup\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControls\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControlsMigration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\WindowsParentalControlsMigration\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B42DD9C-5A26-4F27-BB95-34603F0997E5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B42DD9C-5A26-4F27-BB95-34603F0997E5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B42DD9C-5A26-4F27-BB95-34603F0997E5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{486D715E-6AA2-44CF-BC48-B6990CBB53C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{486D715E-6AA2-44CF-BC48-B6990CBB53C6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{486D715E-6AA2-44CF-BC48-B6990CBB53C6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\AutoWake
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\AutoWake\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\GadgetManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\GadgetManager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SessionAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SessionAgent\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SystemDataProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\SystemDataProviders\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{365A30E2-8B9F-4F68-8F3B-65E2986D53A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{365A30E2-8B9F-4F68-8F3B-65E2986D53A8}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{365A30E2-8B9F-4F68-8F3B-65E2986D53A8}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19A7F090-8B10-456E-8D59-3807952AA3F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19A7F090-8B10-456E-8D59-3807952AA3F0}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19A7F090-8B10-456E-8D59-3807952AA3F0}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{889B8696-D393-49A2-9800-67D5C84A9F26}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{889B8696-D393-49A2-9800-67D5C84A9F26}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{889B8696-D393-49A2-9800-67D5C84A9F26}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{378232A2-52F4-4AA6-83BB-E5970DBC55D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{378232A2-52F4-4AA6-83BB-E5970DBC55D7}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{378232A2-52F4-4AA6-83BB-E5970DBC55D7}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9F510C-95F4-499A-90C8-BAC5BC372FF4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9F510C-95F4-499A-90C8-BAC5BC372FF4}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9F510C-95F4-499A-90C8-BAC5BC372FF4}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\SR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\SR\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{994C86AD-A929-4B2C-88A0-4E25A107A029}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{994C86AD-A929-4B2C-88A0-4E25A107A029}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{994C86AD-A929-4B2C-88A0-4E25A107A029}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Interactive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Interactive\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F7B7221-AE8F-44F3-BA82-F7D260F51964}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F7B7221-AE8F-44F3-BA82-F7D260F51964}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F7B7221-AE8F-44F3-BA82-F7D260F51964}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict1\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\IpAddressConflict2\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{088482FA-65B8-4E17-9ABF-1DCD48E8D373}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{088482FA-65B8-4E17-9ABF-1DCD48E8D373}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{088482FA-65B8-4E17-9ABF-1DCD48E8D373}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F06BFE-A3C8-40E3-846A-6E6F4000C238}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F06BFE-A3C8-40E3-846A-6E6F4000C238}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F06BFE-A3C8-40E3-846A-6E6F4000C238}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\MsCtfMonitor\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8B01A2-11FF-4C41-848F-508EF4F00CF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8B01A2-11FF-4C41-848F-508EF4F00CF7}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8B01A2-11FF-4C41-848F-508EF4F00CF7}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\SynchronizeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\SynchronizeTime\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\UPnPHostConfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\UPnPHostConfig\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A40E926-9E86-4B89-9CFD-B12311724371}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A40E926-9E86-4B89-9CFD-B12311724371}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A40E926-9E86-4B89-9CFD-B12311724371}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\HiveUploadTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\HiveUploadTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6738BA6E-EA75-4B6B-B8B8-71F0336DD8EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6738BA6E-EA75-4B6B-B8B8-71F0336DD8EF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6738BA6E-EA75-4B6B-B8B8-71F0336DD8EF}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\ResolutionHost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\ResolutionHost\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9435F817-FED2-454E-88CD-7F78FDA62C48}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9435F817-FED2-454E-88CD-7F78FDA62C48}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9435F817-FED2-454E-88CD-7F78FDA62C48}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\QueueReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\QueueReporting\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0250F3F-6480-484F-B719-42F659AC64D5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E22A8667-F75B-4BA9-BA46-067ED4429DE8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E22A8667-F75B-4BA9-BA46-067ED4429DE8}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E22A8667-F75B-4BA9-BA46-067ED4429DE8}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\UpdateLibrary
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\UpdateLibrary\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{753C47AE-EC5E-44B3-95A9-2C8E553F0E39}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{753C47AE-EC5E-44B3-95A9-2C8E553F0E39}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{753C47AE-EC5E-44B3-95A9-2C8E553F0E39}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Calibration Loader
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Calibration Loader\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A35BB7A6-5F0C-4C9F-8450-2B3BED532D51}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A35BB7A6-5F0C-4C9F-8450-2B3BED532D51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A35BB7A6-5F0C-4C9F-8450-2B3BED532D51}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77D8C4FE-AD05-41A3-9BFD-73AAF4EB8281}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77D8C4FE-AD05-41A3-9BFD-73AAF4EB8281}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77D8C4FE-AD05-41A3-9BFD-73AAF4EB8281}\Triggers
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SpeedLan.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SpeedLan.job.fp
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeedLan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BDDEEE1-895B-462F-9658-1C79121CAB39}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BDDEEE1-895B-462F-9658-1C79121CAB39}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeedLan\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeedLan\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BDDEEE1-895B-462F-9658-1C79121CAB39}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BDDEEE1-895B-462F-9658-1C79121CAB39}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BDDEEE1-895B-462F-9658-1C79121CAB39}\DynamicInfo
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-735
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-734
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\AccessibilityCpl.dll,-10
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\ie4uinit.exe,-737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sud.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wucltux.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\ehome\ehres.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10030
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\rstrui.exe,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\comres.dll,-3410
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\mycomput.dll,-300
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wdc.dll,-10021
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msconfig.exe,-126
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\gameux.dll,-10082
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@C:\Windows\system32\msra.exe,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SortOrderIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\FavoritesRemovedChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheSMP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCacheTBP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_MinMFU
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere (64-ovg).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Vagrearg Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qvfcynlfjvgpu.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pnyp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\kcfepuij.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JSF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zntavsl.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\freivprf.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IOBKJVAQBJFNQQVGVBAF-NZQ64.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\IObkQeiVafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Pbzznaq Cebzcg.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\IOBKFIE\Qbjaybnqf\9.0_NqorEqe90_ra_HF.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvrkrp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\CVY-1.1.7.jva32-cl2.7.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\wqx-7-jvaqbjf-v586.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.Qrsnhyg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\frghc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\IObkJvaqbjfNqqvgvbaf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\HfreNppbhagPbagebyFrggvatf.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erxrljvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zzp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\fyhv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\frgup.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FlfgrzCebcregvrfNqinaprq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qrfxgbc\AQC451-XO2858728-k86-k64-NyyBF-RAH.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\CBJRECAG.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BARABGR.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Ernqre 9.0\Ernqre\NpebEq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Benpyr\IveghnyObk Thrfg Nqqvgvbaf\havafg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\NccQngn\Ybpny\Grzc\~afh.gzc\Nh_.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jvaire.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clgubaj.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{7SR8Q22N-SO1Q-N8OR-01R3-6P8693961R6R}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.VagreargRkcybere.64Ovg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\hfre\Qbjaybnqf\Nhgbehaf64.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P1P6S8NP-40N3-0S5P-146S-65N9QP70OOO4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\qvfcynlfjvgpu.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Jvaqbjf Rkcybere.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\KCF Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Snk naq Fpna.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Jbeq 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Rkpry 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bhgybbx 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg CbjreCbvag 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg BarAbgr 2010.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqbor Ernqre 9.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Benpyr IZ IveghnyObk Thrfg Nqqvgvbaf\Havafgnyy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Aneengbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Ba-Fperra Xrlobneq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Flfgrz Gbbyf\Cevingr Punenpgre Rqvgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npebong.pbz.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Fvqrone.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf QIQ Znxre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jvaqbjf Zrqvn Cynlre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zngu Vachg Cnary.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Zbovyvgl Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\ArgjbexCebwrpgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fbhaq Erpbeqre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flap Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jbeqcnq.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Npprffvovyvgl\Fcrrpu Erpbtavgvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\qsethv.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Qvfx Pyrnahc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Erfbhepr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Vasbezngvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Flfgrz Erfgber.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre Ercbegf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Jvaqbjf Rnfl Genafsre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\FuncrPbyyrpgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\GnoGvc.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Gnoyrg CP\Jvaqbjf Wbheany.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR (k86).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy VFR.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzcbarag Freivprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Pbzchgre Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Qngn Fbheprf (BQOP).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Rirag Ivrjre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\vFPFV Vavgvngbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Zrzbel Qvntabfgvpf Gbby.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cresbeznapr Zbavgbe.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Cevag Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Frphevgl Pbasvthengvba Znantrzrag.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Flfgrz Pbasvthengvba.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Gnfx Fpurqhyre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf Sverjnyy jvgu Nqinaprq Frphevgl.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Jvaqbjf CbjreFuryy Zbqhyrf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Perngr Erpbirel Qvfp.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Znvagranapr\Erzbgr Nffvfgnapr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Qvtvgny Pregvsvpngr sbe ION Cebwrpgf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Pyvc Betnavmre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Ynathntr Cersreraprf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr 2010 Hcybnq Pragre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Zvpebfbsg Bssvpr Cvpgher Znantre.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr 2010 Gbbyf\Bssvpr Nalgvzr Hctenqr.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\VQYR (Clguba THV).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Zbqhyr Qbpf.yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Clguba 2.7\Clguba (pbzznaq yvar).yax
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYPHNPbhag:pgbe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\aneengbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bfx.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\rhqprqvg.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Nqbor\Npebong.pbz\Npebong.pbz.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{Q4N262QQ-PR44-Q105-S36O-9Q77N8PO65N4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfNalgvzrHctenqrHV.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\QIQ Znxre\QIQZnxre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnCynlre32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\zvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{NN198O3P-PQ8P-7QR1-98Q1-O460S637193O}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ArgCebw.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FbhaqErpbeqre.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zboflap.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf AG\Npprffbevrf\jbeqcnq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{QNN168QR-4306-P8OP-8P11-O596240OQQRQ}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\puneznc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\qsethv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pyrnazte.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{P804OON7-SN5S-POS7-8O55-2096R5S972PO}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfvasb32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\efgehv.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\cbfgzvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zvtjvm\zvtjvm.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\FuncrPbyyrpgbe.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Pbzzba Svyrf\Zvpebfbsg Funerq\Vax\GnoGvc.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Jvaqbjf Wbheany\Wbheany.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pbzrkc.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NOQ94SO-R7Q6-84N6-N997-P918RQQR0NR5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\bqopnq32.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OO044OSQ-25O7-2SNN-22N8-6371N93R0456}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\vfpfvpcy.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\ZqFpurq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{8NN47365-O2O3-1961-69RO-S866R376O12S}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\cevagznantrzrag.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{OQ3S924R-55SO-N1ON-9QR6-O50S9S2460NP}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfpbasvt.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JS.zfp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{15067OP1-P5N8-425R-37P6-SN0O891674S9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\erpqvfp.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfen.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxBssvprQvtvgnyFSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\ZFGBER.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxFrgYnathntrSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\\x01ko'OIs!!!!!!!!!ZXXFxJkcSvyrf<
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BVF.RKR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Pbzzba Svyrf\zvpebfbsg funerq\BSSVPR14\Bssvpr Frghc Pbagebyyre\cebzb.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.NhgbTrarengrq.{53123611-QN37-S8QN-SNP9-03R76QO9Q64Q}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NormalizeLinkNetPidls
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.NamespaceCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MobilePC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetTrace\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetworkAccessProtection\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Offline Files\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PerfTrack\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Power Efficiency Diagnostics\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RAC\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Ras\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\RemoteAssistance\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Shell\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SideShow\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SystemRestore\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Tcpip\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TextServicesFramework\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Time Synchronization\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\User Profile Service\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WDI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Filtering Platform\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Media Sharing\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsColorSystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{613612BA-897D-44CE-8DC1-8FC283F9FD51}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28011108-68DF-4C73-B91B-57427D501BBA}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\PolicyConverter\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A48CABBF-24C8-4B87-B00F-9261807C3B43}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72DB7465-BC54-491B-A92A-4637A28C9BBF}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\ProgramDataUpdater\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7C73732-9F11-4281-8D19-764D4EC9D94D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Autochk\Proxy\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7B6E81D-3CF4-432C-84D2-24213F4316E6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\UninstallDeviceTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3163C33-301D-4730-A266-5518C5ED3967}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\SystemTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\CertificateServicesClient\UserTask-Roam\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F5A18EB-DC73-4E45-A11C-B59043598412}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AFCC0CA-7121-422A-AB45-B0E8D599FF08}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9979CB83-103A-4105-9E5D-C74B0AF6D198}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\Consolidator\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C016366B-7126-46CA-B36B-592A3D95A60B}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDD56C73-F0D5-41B6-B767-6EFFD7966428}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47536D45-EEEC-4BDC-8183-A4DC1F8DA9E4}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Defrag\ScheduledDefrag\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Diagnosis\Scheduled\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE669C13-8165-4536-96D0-6D6C39292AAE}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF058542-CE2B-4E12-9669-8D71C9A1962D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3731DB66-FBF9-4A66-B1DD-775A8CBBA644}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Notifications\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinSAT\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA41DE71-8431-42FB-9DB0-EB64A961DEAD}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ActivateWindowsSearch\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ConfigureInternetTimeService\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\DispatchRecoveryTasks\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ehDRMInit\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\InstallPlayReady\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\mcupdate\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\MediaCenterRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURActivate\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\OCURDiscovery\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscovery\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW1\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW2\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PeriodicScanRetry\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PvrRecoveryTask\Id