Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-20 10:16:54 2020-06-20 10:24:01 427 seconds Show Options Show Log
route = tor
2020-05-13 09:28:19,255 [root] INFO: Date set to: 20200620T08:05:08, timeout set to: 200
2020-06-20 08:05:08,046 [root] DEBUG: Starting analyzer from: C:\tmpt2nfl3rg
2020-06-20 08:05:08,046 [root] DEBUG: Storing results at: C:\uCiRQoRacp
2020-06-20 08:05:08,046 [root] DEBUG: Pipe server name: \\.\PIPE\oVScch
2020-06-20 08:05:08,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-20 08:05:08,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-20 08:05:08,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-20 08:05:08,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-20 08:05:08,437 [root] DEBUG: Imported analysis package "exe".
2020-06-20 08:05:08,437 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-20 08:05:08,437 [root] DEBUG: Initialized analysis package "exe".
2020-06-20 08:05:09,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-20 08:05:09,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-20 08:05:09,546 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-20 08:05:09,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-20 08:05:09,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-20 08:05:09,703 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-20 08:05:09,703 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-20 08:05:09,781 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-20 08:05:09,781 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-20 08:05:10,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-20 08:05:10,062 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-20 08:05:10,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-20 08:05:10,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-20 08:05:10,171 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-20 08:05:10,187 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-20 08:05:10,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-20 08:05:10,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-20 08:05:10,187 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-20 08:05:10,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-20 08:05:10,265 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-20 08:05:10,265 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-20 08:05:13,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-20 08:05:13,421 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-20 08:05:13,531 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-20 08:05:13,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-20 08:05:13,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-20 08:05:13,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-20 08:05:13,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-20 08:05:13,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-20 08:05:13,546 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-20 08:05:13,546 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-20 08:05:13,546 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-20 08:05:13,546 [root] DEBUG: Started auxiliary module Browser
2020-06-20 08:05:13,546 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-20 08:05:13,562 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-20 08:05:13,562 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-20 08:05:13,562 [root] DEBUG: Started auxiliary module Curtain
2020-06-20 08:05:13,562 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-20 08:05:13,562 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-20 08:05:13,562 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-20 08:05:13,562 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-20 08:05:15,343 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-20 08:05:15,343 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-20 08:05:15,343 [root] DEBUG: Started auxiliary module DigiSig
2020-06-20 08:05:15,343 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-20 08:05:15,343 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-20 08:05:15,359 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-20 08:05:15,406 [root] DEBUG: Started auxiliary module Disguise
2020-06-20 08:05:15,406 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-20 08:05:15,406 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-20 08:05:15,406 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-20 08:05:15,406 [root] DEBUG: Started auxiliary module Human
2020-06-20 08:05:15,406 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-20 08:05:15,406 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-20 08:05:15,406 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-20 08:05:15,406 [root] DEBUG: Started auxiliary module Procmon
2020-06-20 08:05:15,437 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-20 08:05:15,437 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-20 08:05:15,437 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-20 08:05:15,437 [root] DEBUG: Started auxiliary module Screenshots
2020-06-20 08:05:15,437 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-20 08:05:15,437 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-20 08:05:15,437 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-20 08:05:15,437 [root] DEBUG: Started auxiliary module Sysmon
2020-06-20 08:05:15,453 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-20 08:05:15,453 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-20 08:05:15,453 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-20 08:05:15,453 [root] DEBUG: Started auxiliary module Usage
2020-06-20 08:05:15,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-20 08:05:15,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-20 08:05:15,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-20 08:05:15,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-20 08:05:15,546 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\NmXRQqik.exe" with arguments "" with pid 4172
2020-06-20 08:05:15,546 [lib.api.process] INFO: Monitor config for process 4172: C:\tmpt2nfl3rg\dll\4172.ini
2020-06-20 08:05:15,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:15,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:15,718 [root] DEBUG: Loader: Injecting process 4172 (thread 3388) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:15,718 [root] DEBUG: Process image base: 0x010A0000
2020-06-20 08:05:15,734 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:15,750 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:15,750 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:15,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4172
2020-06-20 08:05:17,765 [lib.api.process] INFO: Successfully resumed process with pid 4172
2020-06-20 08:05:18,281 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-20 08:05:18,281 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-20 08:05:18,296 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4172 at 0x73640000, image base 0x10a0000, stack from 0x455000-0x460000
2020-06-20 08:05:18,296 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\NmXRQqik.exe".
2020-06-20 08:05:18,359 [root] INFO: Loaded monitor into process with pid 4172
2020-06-20 08:05:18,375 [root] DEBUG: set_caller_info: Adding region at 0x00360000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-20 08:05:18,375 [root] DEBUG: set_caller_info: Adding region at 0x00C50000 to caller regions list (ntdll::RtlDispatchException).
2020-06-20 08:05:18,734 [root] DEBUG: DumpMemory: Exception occured reading memory address 0xc50000
2020-06-20 08:05:18,734 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00C50000 size 0x400000.
2020-06-20 08:05:18,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\4172_173804224018452220662020 (size 0xffe)
2020-06-20 08:05:18,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x00C50000, size 0x1000.
2020-06-20 08:05:18,812 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00360000.
2020-06-20 08:05:18,828 [root] DEBUG: set_caller_info: Adding region at 0x00520000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-20 08:05:18,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x61ffff
2020-06-20 08:05:18,859 [root] DEBUG: DumpMemory: Nothing to dump at 0x00520000!
2020-06-20 08:05:18,859 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00520000 size 0x100000.
2020-06-20 08:05:18,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x520000 - 0x54a000.
2020-06-20 08:05:18,859 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x520000-0x54a000.
2020-06-20 08:05:18,890 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\4172_146626798218452220662020 (size 0x29ffe)
2020-06-20 08:05:18,890 [root] DEBUG: DumpRegion: Dumped stack region from 0x00520000, size 0x2a000.
2020-06-20 08:05:18,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x73720000 to global list.
2020-06-20 08:05:18,890 [root] DEBUG: DLL loaded at 0x73720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-20 08:05:18,906 [root] DEBUG: DLL unloaded from 0x754B0000.
2020-06-20 08:05:18,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00110000 to global list.
2020-06-20 08:05:18,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x00110000 to global list.
2020-06-20 08:05:18,937 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-20 08:05:18,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72DA0000 for section view with handle 0xec.
2020-06-20 08:05:18,937 [root] DEBUG: DLL loaded at 0x72DA0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-20 08:05:18,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73AA0000 for section view with handle 0xec.
2020-06-20 08:05:19,437 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4172, handle 0x10c.
2020-06-20 08:05:19,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x00110000 to global list.
2020-06-20 08:05:19,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x114 amd local view 0x00120000 to global list.
2020-06-20 08:05:19,609 [root] INFO: Disabling sleep skipping.
2020-06-20 08:05:19,625 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4172.
2020-06-20 08:05:20,203 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4172.
2020-06-20 08:05:20,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d4 amd local view 0x06200000 to global list.
2020-06-20 08:05:20,296 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4172.
2020-06-20 08:05:22,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x70640000 to global list.
2020-06-20 08:05:22,390 [root] DEBUG: DLL loaded at 0x70640000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-20 08:05:27,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 amd local view 0x737B0000 to global list.
2020-06-20 08:05:27,406 [root] DEBUG: DLL loaded at 0x737B0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-20 08:05:27,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x75560000 to global list.
2020-06-20 08:05:27,453 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-20 08:05:27,718 [root] DEBUG: set_caller_info: Adding region at 0x001E0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-20 08:05:27,734 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x1effff
2020-06-20 08:05:27,734 [root] DEBUG: DumpMemory: Nothing to dump at 0x001E0000!
2020-06-20 08:05:27,734 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001E0000 size 0x10000.
2020-06-20 08:05:27,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1e1000.
2020-06-20 08:05:27,734 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e0000-0x1e1000.
2020-06-20 08:05:27,781 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\4172_193694184447452220662020 (size 0x481)
2020-06-20 08:05:28,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x6F760000 to global list.
2020-06-20 08:05:28,312 [root] DEBUG: DLL loaded at 0x6F760000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-20 08:05:29,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x244 amd local view 0x6EF80000 to global list.
2020-06-20 08:05:29,265 [root] DEBUG: DLL loaded at 0x6EF80000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-20 08:05:29,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x73540000 to global list.
2020-06-20 08:05:29,296 [root] DEBUG: DLL loaded at 0x73540000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-20 08:05:29,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x6E840000 to global list.
2020-06-20 08:05:29,640 [root] DEBUG: DLL loaded at 0x6E840000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-06-20 08:05:29,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73520000 for section view with handle 0x23c.
2020-06-20 08:05:29,890 [root] DEBUG: DLL loaded at 0x73520000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-20 08:05:29,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x066C0000 for section view with handle 0x23c.
2020-06-20 08:05:30,109 [root] DEBUG: DLL loaded at 0x75D90000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-20 08:05:30,109 [root] DEBUG: DLL loaded at 0x74A70000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-20 08:05:30,187 [root] DEBUG: set_caller_info: Adding region at 0x00140000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-20 08:05:30,203 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x14ffff
2020-06-20 08:05:30,203 [root] DEBUG: DumpMemory: Nothing to dump at 0x00140000!
2020-06-20 08:05:30,218 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\4172_41195982550452220662020 (size 0x14)
2020-06-20 08:05:30,218 [root] DEBUG: DumpRegion: Dumped stack region from 0x00140000, size 0x1000.
2020-06-20 08:05:30,281 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-20 08:05:30,312 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-20 08:05:30,328 [root] DEBUG: DLL loaded at 0x748F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-20 08:05:30,937 [root] DEBUG: OpenProcessHandler: Image base for process 4172 (handle 0x27c): 0x010A0000.
2020-06-20 08:05:31,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x27c amd local view 0x00460000 to global list.
2020-06-20 08:05:31,375 [root] DEBUG: DLL loaded at 0x734C0000: C:\Windows\system32\rasapi32 (0x52000 bytes).
2020-06-20 08:05:31,390 [root] DEBUG: DLL loaded at 0x734A0000: C:\Windows\system32\rasman (0x15000 bytes).
2020-06-20 08:05:31,390 [root] DEBUG: DLL loaded at 0x773A0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-20 08:05:31,406 [root] DEBUG: DLL loaded at 0x77140000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-20 08:05:31,468 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\system32\rtutils (0xd000 bytes).
2020-06-20 08:05:31,515 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-20 08:05:31,515 [root] DEBUG: DLL loaded at 0x74A80000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-20 08:05:31,515 [root] DEBUG: DLL loaded at 0x73490000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-20 08:05:31,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2d4 amd local view 0x069A0000 to global list.
2020-06-20 08:05:31,546 [root] DEBUG: DLL unloaded from 0x734A0000.
2020-06-20 08:05:31,546 [root] DEBUG: DLL loaded at 0x705E0000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-20 08:05:31,546 [root] DEBUG: DLL loaded at 0x70590000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-20 08:05:31,562 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:31,562 [root] DEBUG: DLL loaded at 0x70580000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-20 08:05:31,562 [root] DEBUG: DLL unloaded from 0x74A50000.
2020-06-20 08:05:31,578 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-20 08:05:31,578 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-20 08:05:31,578 [root] DEBUG: DLL loaded at 0x70570000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-20 08:05:31,593 [root] DEBUG: DLL loaded at 0x70550000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-20 08:05:31,593 [root] DEBUG: DLL unloaded from 0x77990000.
2020-06-20 08:05:31,609 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-20 08:05:31,656 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4172.
2020-06-20 08:05:31,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x378 amd local view 0x00620000 to global list.
2020-06-20 08:05:31,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x374 amd local view 0x00620000 to global list.
2020-06-20 08:05:31,718 [root] DEBUG: DLL loaded at 0x70500000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-20 08:05:31,765 [root] DEBUG: DLL loaded at 0x704F0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-20 08:05:32,296 [root] DEBUG: DLL loaded at 0x704B0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-20 08:05:32,359 [root] DEBUG: DLL loaded at 0x704A0000: C:\Windows\system32\secur32 (0x8000 bytes).
2020-06-20 08:05:32,390 [root] DEBUG: DLL loaded at 0x70450000: C:\Windows\SysWOW64\schannel (0x41000 bytes).
2020-06-20 08:05:32,390 [root] DEBUG: DLL loaded at 0x77270000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-20 08:05:32,390 [root] DEBUG: DLL loaded at 0x76DE0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-20 08:05:33,234 [root] DEBUG: DLL loaded at 0x70410000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-06-20 08:05:33,234 [root] DEBUG: DLL loaded at 0x703D0000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2020-06-20 08:05:33,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x410 amd local view 0x00620000 to global list.
2020-06-20 08:05:33,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x40c amd local view 0x00620000 to global list.
2020-06-20 08:05:33,625 [root] DEBUG: DLL loaded at 0x74AD0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-20 08:05:33,781 [root] DEBUG: DLL loaded at 0x703B0000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-06-20 08:05:35,359 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4172.
2020-06-20 08:05:35,375 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4172.
2020-06-20 08:05:35,593 [root] INFO: Announced 64-bit process name: AddInProcess.exe pid: 4308
2020-06-20 08:05:35,640 [lib.api.process] INFO: Monitor config for process 4308: C:\tmpt2nfl3rg\dll\4308.ini
2020-06-20 08:05:35,656 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:05:35,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:35,687 [root] DEBUG: Loader: Injecting process 4308 (thread 4296) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,687 [root] DEBUG: Process image base: 0x0000000000080000
2020-06-20 08:05:35,687 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:35,687 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:35,687 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,703 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4308
2020-06-20 08:05:35,703 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-20 08:05:35,718 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe.
2020-06-20 08:05:35,718 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4308, ImageBase: 0x00080000
2020-06-20 08:05:35,718 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4308 (ImageBase 0x400000)
2020-06-20 08:05:35,718 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-20 08:05:35,718 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0568A9D8.
2020-06-20 08:05:35,765 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x29400.
2020-06-20 08:05:35,765 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x568a9d8, SizeOfImage 0x30000.
2020-06-20 08:05:35,781 [root] INFO: Announced 64-bit process name: AddInProcess.exe pid: 4308
2020-06-20 08:05:35,781 [lib.api.process] INFO: Monitor config for process 4308: C:\tmpt2nfl3rg\dll\4308.ini
2020-06-20 08:05:35,781 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:05:35,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:35,796 [root] DEBUG: Loader: Injecting process 4308 (thread 0) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,796 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD5000 Local PEB 0x000007FFFFFDC000 Local TEB 0x000007FFFFFDE000: The operation completed successfully.
2020-06-20 08:05:35,796 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-20 08:05:35,812 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-20 08:05:35,812 [root] DEBUG: Failed to inject DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,812 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 4308, error: 4294967281
2020-06-20 08:05:35,812 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-20 08:05:35,828 [root] INFO: Announced 64-bit process name: AddInProcess.exe pid: 4308
2020-06-20 08:05:35,828 [lib.api.process] INFO: Monitor config for process 4308: C:\tmpt2nfl3rg\dll\4308.ini
2020-06-20 08:05:35,828 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:05:35,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:35,859 [root] DEBUG: Loader: Injecting process 4308 (thread 0) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,875 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD5000 Local PEB 0x000007FFFFFDD000 Local TEB 0x000007FFFFFDF000: The operation completed successfully.
2020-06-20 08:05:35,875 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-20 08:05:35,875 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-20 08:05:35,875 [root] DEBUG: Failed to inject DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,890 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 4308, error: 4294967281
2020-06-20 08:05:35,890 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-20 08:05:35,890 [root] INFO: Announced 64-bit process name: AddInProcess.exe pid: 4308
2020-06-20 08:05:35,890 [lib.api.process] INFO: Monitor config for process 4308: C:\tmpt2nfl3rg\dll\4308.ini
2020-06-20 08:05:35,890 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:05:35,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:35,921 [root] DEBUG: Loader: Injecting process 4308 (thread 0) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,921 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD5000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD6000: The operation completed successfully.
2020-06-20 08:05:35,921 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-20 08:05:35,921 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-20 08:05:35,921 [root] DEBUG: Failed to inject DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,937 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 4308, error: 4294967281
2020-06-20 08:05:35,937 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-20 08:05:35,937 [root] INFO: Announced 64-bit process name: AddInProcess.exe pid: 4308
2020-06-20 08:05:35,937 [lib.api.process] INFO: Monitor config for process 4308: C:\tmpt2nfl3rg\dll\4308.ini
2020-06-20 08:05:35,937 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:05:35,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:35,953 [root] DEBUG: Loader: Injecting process 4308 (thread 0) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,953 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD5000 Local PEB 0x000007FFFFFDD000 Local TEB 0x000007FFFFFDF000: The operation completed successfully.
2020-06-20 08:05:35,968 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-20 08:05:35,968 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-20 08:05:35,968 [root] DEBUG: Failed to inject DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:05:35,968 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 4308, error: 4294967281
2020-06-20 08:05:35,984 [root] INFO: Process with pid 4308 has terminated
2020-06-20 08:05:36,249 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:36,249 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:36,265 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:36,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:36,312 [root] DEBUG: Loader: Injecting process 3272 (thread 1152) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:36,312 [root] DEBUG: Process image base: 0x001C0000
2020-06-20 08:05:36,312 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:36,312 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:36,312 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:36,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:37,609 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.
2020-06-20 08:05:37,625 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3272, ImageBase: 0x001C0000
2020-06-20 08:05:37,625 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:37,625 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:37,625 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:37,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:37,656 [root] DEBUG: Loader: Injecting process 3272 (thread 1152) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,656 [root] DEBUG: Process image base: 0x001C0000
2020-06-20 08:05:37,656 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:37,656 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:37,656 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,671 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:37,671 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 3272 (ImageBase 0x400000)
2020-06-20 08:05:37,671 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-20 08:05:37,671 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0568A9D8.
2020-06-20 08:05:37,687 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x29400.
2020-06-20 08:05:37,687 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x568a9d8, SizeOfImage 0x30000.
2020-06-20 08:05:37,687 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:37,687 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:37,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:37,750 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:37,750 [root] DEBUG: Loader: Injecting process 3272 (thread 0) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,765 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-20 08:05:37,765 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1152, handle 0xc4
2020-06-20 08:05:37,765 [root] DEBUG: Process image base: 0x001C0000
2020-06-20 08:05:37,765 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:37,765 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:37,765 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,781 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:37,812 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-20 08:05:37,812 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:37,812 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:37,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:37,843 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:37,843 [root] DEBUG: Loader: Injecting process 3272 (thread 0) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,843 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-20 08:05:37,843 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1152, handle 0xc4
2020-06-20 08:05:37,843 [root] DEBUG: Process image base: 0x001C0000
2020-06-20 08:05:37,859 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:37,859 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:37,859 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,875 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:37,875 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-20 08:05:37,875 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:37,875 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:37,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:37,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:37,906 [root] DEBUG: Loader: Injecting process 3272 (thread 0) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,906 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-20 08:05:37,906 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1152, handle 0xc4
2020-06-20 08:05:37,906 [root] DEBUG: Process image base: 0x001C0000
2020-06-20 08:05:37,906 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:37,906 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:37,921 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:37,921 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-20 08:05:37,921 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:37,921 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:37,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:37,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:37,953 [root] DEBUG: Loader: Injecting process 3272 (thread 0) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,953 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-20 08:05:37,953 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1152, handle 0xc4
2020-06-20 08:05:37,953 [root] DEBUG: Process image base: 0x001C0000
2020-06-20 08:05:37,968 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:37,968 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:37,968 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:37,968 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:37,984 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:37,984 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:37,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:38,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:38,015 [root] DEBUG: Loader: Injecting process 3272 (thread 0) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:38,015 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-20 08:05:38,015 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1152, handle 0xc4
2020-06-20 08:05:38,015 [root] DEBUG: Process image base: 0x00400000
2020-06-20 08:05:38,015 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:38,031 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:38,031 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:38,031 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:38,031 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0002A89E (process 3272).
2020-06-20 08:05:38,031 [root] INFO: Announced 32-bit process name: AddInProcess32.exe pid: 3272
2020-06-20 08:05:38,031 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpt2nfl3rg\dll\3272.ini
2020-06-20 08:05:38,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:05:38,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:05:38,062 [root] DEBUG: Loader: Injecting process 3272 (thread 1152) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:38,062 [root] DEBUG: Process image base: 0x00400000
2020-06-20 08:05:38,062 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-20 08:05:38,078 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-20 08:05:38,078 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:05:38,078 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-20 08:05:38,078 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3272.
2020-06-20 08:05:38,109 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-20 08:05:38,109 [root] INFO: Disabling sleep skipping.
2020-06-20 08:05:38,125 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3272 at 0x73640000, image base 0x400000, stack from 0x306000-0x310000
2020-06-20 08:05:38,125 [root] DEBUG: Commandline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.
2020-06-20 08:05:38,171 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4172
2020-06-20 08:05:38,171 [root] DEBUG: GetHookCallerBase: thread 3388 (handle 0x0), return address 0x73671698, allocation base 0x73640000.
2020-06-20 08:05:38,171 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x010A0000.
2020-06-20 08:05:38,171 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x010A2000
2020-06-20 08:05:38,171 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-20 08:05:38,171 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x010A0000.
2020-06-20 08:05:38,187 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x010A5400 to 0x010A5600).
2020-06-20 08:05:38,187 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-20 08:05:38,187 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x010A0000, dumping memory region.
2020-06-20 08:05:38,187 [root] INFO: Loaded monitor into process with pid 3272
2020-06-20 08:05:38,187 [root] DEBUG: set_caller_info: Adding region at 0x000D0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:38,203 [root] DEBUG: set_caller_info: Adding region at 0x02180000 to caller regions list (kernel32::GetSystemTime).
2020-06-20 08:05:38,203 [root] DEBUG: DLL unloaded from 0x704A0000.
2020-06-20 08:05:38,203 [root] DEBUG: DLL unloaded from 0x703D0000.
2020-06-20 08:05:38,203 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2180000
2020-06-20 08:05:38,218 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02180000 size 0x400000.
2020-06-20 08:05:38,218 [root] DEBUG: DumpPEsInRange: Scanning range 0x2180000 - 0x2181000.
2020-06-20 08:05:38,218 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2180000-0x2181000.
2020-06-20 08:05:38,218 [root] DEBUG: DLL unloaded from 0x75770000.
2020-06-20 08:05:38,218 [root] DEBUG: DLL unloaded from 0x70450000.
2020-06-20 08:05:38,218 [root] DEBUG: DLL unloaded from 0x70580000.
2020-06-20 08:05:38,234 [root] DEBUG: DLL unloaded from 0x72DA0000.
2020-06-20 08:05:38,234 [root] DEBUG: DLL unloaded from 0x73720000.
2020-06-20 08:05:38,249 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4172
2020-06-20 08:05:38,265 [root] DEBUG: GetHookCallerBase: thread 3388 (handle 0x0), return address 0x73671698, allocation base 0x73640000.
2020-06-20 08:05:38,265 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x010A0000.
2020-06-20 08:05:38,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_91840596838452220662020 (size 0x597)
2020-06-20 08:05:38,296 [root] DEBUG: DumpRegion: Dumped stack region from 0x02180000, size 0x1000.
2020-06-20 08:05:38,296 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x010A2000
2020-06-20 08:05:38,296 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-20 08:05:38,312 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x010A0000.
2020-06-20 08:05:38,312 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x010A5400 to 0x010A5600).
2020-06-20 08:05:38,312 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-20 08:05:38,328 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x010A0000, dumping memory region.
2020-06-20 08:05:38,328 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_162801382438452220662020 (size 0x12a)
2020-06-20 08:05:38,328 [root] INFO: Process with pid 4172 has terminated
2020-06-20 08:05:38,328 [root] DEBUG: DumpRegion: Dumped stack region from 0x000D0000, size 0x1000.
2020-06-20 08:05:38,390 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:38,390 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:38,406 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:38,406 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:38,421 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:38,437 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:38,468 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:38,546 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_189650386838452220662020 (size 0x12a)
2020-06-20 08:05:38,546 [root] DEBUG: DumpRegion: Dumped stack region from 0x000E0000, size 0x1000.
2020-06-20 08:05:38,578 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:38,593 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:38,593 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:38,593 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:38,593 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:38,593 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:38,609 [root] DEBUG: set_caller_info: Adding region at 0x000F0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:39,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_159378920238452220662020 (size 0x12a)
2020-06-20 08:05:39,046 [root] DEBUG: DumpRegion: Dumped stack region from 0x000F0000, size 0x1000.
2020-06-20 08:05:39,046 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:39,062 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,062 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,062 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,078 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,078 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:39,093 [root] DEBUG: set_caller_info: Adding region at 0x00100000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:39,187 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_92697069139452220662020 (size 0x12a)
2020-06-20 08:05:39,187 [root] DEBUG: DumpRegion: Dumped stack region from 0x00100000, size 0x1000.
2020-06-20 08:05:39,203 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:39,218 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,218 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,218 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,249 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,249 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:39,281 [root] DEBUG: set_caller_info: Adding region at 0x00110000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:39,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_78371000839452220662020 (size 0x12a)
2020-06-20 08:05:39,375 [root] DEBUG: DumpRegion: Dumped stack region from 0x00110000, size 0x1000.
2020-06-20 08:05:39,390 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:39,406 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,421 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,421 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,421 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,437 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:39,437 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:39,515 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_162365179939452220662020 (size 0x12a)
2020-06-20 08:05:39,531 [root] DEBUG: DumpRegion: Dumped stack region from 0x00120000, size 0x1000.
2020-06-20 08:05:39,531 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:39,546 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,562 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,562 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,562 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,562 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:39,578 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (ntdll::LdrLoadDll).
2020-06-20 08:05:39,671 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_14554168839452220662020 (size 0x12a)
2020-06-20 08:05:39,687 [root] DEBUG: DumpRegion: Dumped stack region from 0x00130000, size 0x1000.
2020-06-20 08:05:39,687 [root] DEBUG: DLL loaded at 0x00310000: C:\tmpt2nfl3rg\dll\jelUxLs (0xd5000 bytes).
2020-06-20 08:05:39,703 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,703 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,703 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-20 08:05:39,718 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:39,734 [root] DEBUG: DLL unloaded from 0x00310000.
2020-06-20 08:05:39,734 [root] DEBUG: set_caller_info: Adding region at 0x00210000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-20 08:05:39,750 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00210000.
2020-06-20 08:05:39,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x73720000 to global list.
2020-06-20 08:05:39,765 [root] DEBUG: DLL loaded at 0x73720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-20 08:05:39,765 [root] DEBUG: DLL unloaded from 0x754B0000.
2020-06-20 08:05:39,781 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-20 08:05:39,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x72DA0000 to global list.
2020-06-20 08:05:39,796 [root] DEBUG: DLL loaded at 0x72DA0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-20 08:05:39,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73AA0000 for section view with handle 0xe8.
2020-06-20 08:05:39,812 [root] DEBUG: DLL loaded at 0x73AA0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-20 08:05:39,843 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3272, handle 0x108.
2020-06-20 08:05:39,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c amd local view 0x001D0000 to global list.
2020-06-20 08:05:39,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x001E0000 to global list.
2020-06-20 08:05:39,875 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3272.
2020-06-20 08:05:39,875 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3272.
2020-06-20 08:05:39,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c8 amd local view 0x06510000 to global list.
2020-06-20 08:05:40,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f8 amd local view 0x6EDD0000 to global list.
2020-06-20 08:05:40,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x735C0000 to global list.
2020-06-20 08:05:40,078 [root] DEBUG: DLL loaded at 0x735C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-20 08:05:40,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x75560000 to global list.
2020-06-20 08:05:40,093 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-20 08:05:40,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x70FD0000 to global list.
2020-06-20 08:05:40,187 [root] DEBUG: DLL loaded at 0x70FD0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-20 08:05:40,187 [root] DEBUG: set_caller_info: Adding region at 0x00440000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-20 08:05:40,187 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x44ffff
2020-06-20 08:05:40,203 [root] DEBUG: DumpMemory: Nothing to dump at 0x00440000!
2020-06-20 08:05:40,218 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00440000 size 0x10000.
2020-06-20 08:05:40,218 [root] DEBUG: DumpPEsInRange: Scanning range 0x440000 - 0x441000.
2020-06-20 08:05:40,234 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x440000-0x441000.
2020-06-20 08:05:40,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_11198024120462220662020 (size 0x478)
2020-06-20 08:05:40,312 [root] DEBUG: DumpRegion: Dumped stack region from 0x00440000, size 0x1000.
2020-06-20 08:05:40,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 amd local view 0x73810000 to global list.
2020-06-20 08:05:40,328 [root] DEBUG: DLL loaded at 0x73810000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-20 08:05:40,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06900000 for section view with handle 0x230.
2020-06-20 08:05:40,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 amd local view 0x707F0000 to global list.
2020-06-20 08:05:40,375 [root] DEBUG: DLL loaded at 0x707F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-20 08:05:40,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x734C0000 to global list.
2020-06-20 08:05:40,406 [root] DEBUG: DLL loaded at 0x734C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-20 08:05:40,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E690000 for section view with handle 0x230.
2020-06-20 08:05:40,437 [root] DEBUG: DLL loaded at 0x6E690000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-06-20 08:05:40,453 [root] DEBUG: DLL loaded at 0x75D90000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-20 08:05:40,468 [root] DEBUG: DLL loaded at 0x74A70000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-20 08:05:40,468 [root] DEBUG: set_caller_info: Adding region at 0x00200000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-20 08:05:40,484 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x20ffff
2020-06-20 08:05:40,484 [root] DEBUG: DumpMemory: Nothing to dump at 0x00200000!
2020-06-20 08:05:40,500 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00200000 size 0x10000.
2020-06-20 08:05:40,515 [root] DEBUG: DumpPEsInRange: Scanning range 0x200000 - 0x201000.
2020-06-20 08:05:40,515 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x200000-0x201000.
2020-06-20 08:05:40,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uCiRQoRacp\CAPE\3272_3928085390462220662020 (size 0x14)
2020-06-20 08:05:40,578 [root] DEBUG: DumpRegion: Dumped stack region from 0x00200000, size 0x1000.
2020-06-20 08:05:40,609 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-20 08:05:40,609 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-20 08:05:40,625 [root] DEBUG: DLL loaded at 0x748F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-20 08:05:40,921 [root] DEBUG: OpenProcessHandler: Image base for process 3272 (handle 0x44): 0x00400000.
2020-06-20 08:05:41,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 amd local view 0x6D380000 to global list.
2020-06-20 08:05:41,281 [root] DEBUG: DLL loaded at 0x6D380000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\d84a4c1cb8dbcdd0730bc62564d6c96c\System.ServiceModel.ni (0x1310000 bytes).
2020-06-20 08:05:41,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70530000 for section view with handle 0x270.
2020-06-20 08:05:41,828 [root] DEBUG: DLL loaded at 0x70530000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ccaf6d342acbed1a798d02e711dec6bd\System.Runtime.Serialization.ni (0x2bb000 bytes).
2020-06-20 08:05:42,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737F0000 for section view with handle 0x270.
2020-06-20 08:05:42,031 [root] DEBUG: DLL loaded at 0x737F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\0ea80706f16fdfa7b82d29bd761a0085\SMDiagnostics.ni (0x20000 bytes).
2020-06-20 08:05:42,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70460000 for section view with handle 0x270.
2020-06-20 08:05:42,249 [root] DEBUG: DLL loaded at 0x70460000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\38a0295dd67142d3b8572313e9004d44\System.ServiceModel.Internals.ni (0xc9000 bytes).
2020-06-20 08:05:42,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x44 amd local view 0x00530000 to global list.
2020-06-20 08:05:43,875 [root] DEBUG: DLL loaded at 0x70400000: C:\Windows\system32\rasapi32 (0x52000 bytes).
2020-06-20 08:05:43,906 [root] DEBUG: DLL loaded at 0x737D0000: C:\Windows\system32\rasman (0x15000 bytes).
2020-06-20 08:05:43,906 [root] DEBUG: DLL loaded at 0x773A0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-20 08:05:43,937 [root] DEBUG: DLL loaded at 0x77140000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-20 08:05:43,953 [root] DEBUG: DLL loaded at 0x737C0000: C:\Windows\system32\rtutils (0xd000 bytes).
2020-06-20 08:05:43,984 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-20 08:05:43,984 [root] DEBUG: DLL loaded at 0x74A80000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-20 08:05:44,000 [root] DEBUG: DLL loaded at 0x737B0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-20 08:05:44,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c4 amd local view 0x03F40000 to global list.
2020-06-20 08:05:44,078 [root] DEBUG: DLL loaded at 0x703A0000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-20 08:05:44,078 [root] DEBUG: DLL loaded at 0x6D330000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-20 08:05:44,093 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-20 08:05:44,093 [root] DEBUG: DLL unloaded from 0x737D0000.
2020-06-20 08:05:44,109 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-20 08:05:44,109 [root] DEBUG: DLL unloaded from 0x74A50000.
2020-06-20 08:05:44,125 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-20 08:05:44,125 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-20 08:05:44,125 [root] DEBUG: DLL loaded at 0x734B0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-20 08:05:44,140 [root] DEBUG: DLL loaded at 0x73490000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-20 08:05:44,156 [root] DEBUG: DLL unloaded from 0x77990000.
2020-06-20 08:05:44,171 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-20 08:05:44,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x33c amd local view 0x00770000 to global list.
2020-06-20 08:05:44,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x340 amd local view 0x00770000 to global list.
2020-06-20 08:05:44,234 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3272.
2020-06-20 08:07:49,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x334 amd local view 0x6D240000 to global list.
2020-06-20 08:07:49,312 [root] DEBUG: DLL loaded at 0x6D240000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader (0xe8000 bytes).
2020-06-20 08:07:49,546 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2452
2020-06-20 08:07:49,562 [lib.api.process] INFO: Monitor config for process 2452: C:\tmpt2nfl3rg\dll\2452.ini
2020-06-20 08:07:49,625 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:07:49,656 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:07:49,671 [root] DEBUG: Loader: Injecting process 2452 (thread 3024) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:49,671 [root] DEBUG: Process image base: 0x4A210000
2020-06-20 08:07:49,687 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:49,687 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-20 08:07:49,687 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-20 08:07:49,734 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-20 08:07:49,750 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-20 08:07:49,765 [root] INFO: Disabling sleep skipping.
2020-06-20 08:07:49,765 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2452 at 0x73640000, image base 0x4a210000, stack from 0x4e3000-0x5e0000
2020-06-20 08:07:49,781 [root] DEBUG: Commandline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\"cmd.exe" \C taskkill \F \PID 3272 && choice \C Y \N \D Y \T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe".
2020-06-20 08:07:49,828 [root] INFO: Loaded monitor into process with pid 2452
2020-06-20 08:07:49,843 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-20 08:07:49,843 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-20 08:07:49,859 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:49,875 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-20 08:07:49,921 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe".
2020-06-20 08:07:49,953 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2452, ImageBase: 0x4A210000
2020-06-20 08:07:49,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x03C00000 to global list.
2020-06-20 08:07:49,984 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 4004
2020-06-20 08:07:49,984 [lib.api.process] INFO: Monitor config for process 4004: C:\tmpt2nfl3rg\dll\4004.ini
2020-06-20 08:07:50,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:07:50,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:07:50,093 [root] DEBUG: Loader: Injecting process 4004 (thread 892) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:50,093 [root] DEBUG: Process image base: 0x00C40000
2020-06-20 08:07:50,109 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:50,109 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-20 08:07:50,109 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:50,125 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4004
2020-06-20 08:07:50,125 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-20 08:07:50,187 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4004, ImageBase: 0x00C40000
2020-06-20 08:07:50,203 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 4004
2020-06-20 08:07:50,203 [lib.api.process] INFO: Monitor config for process 4004: C:\tmpt2nfl3rg\dll\4004.ini
2020-06-20 08:07:50,203 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\jelUxLs.dll, loader C:\tmpt2nfl3rg\bin\bvrqzkb.exe
2020-06-20 08:07:50,234 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:07:50,234 [root] DEBUG: Loader: Injecting process 4004 (thread 892) with C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:50,234 [root] DEBUG: Process image base: 0x00C40000
2020-06-20 08:07:50,249 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:50,265 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-20 08:07:50,265 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\jelUxLs.dll.
2020-06-20 08:07:50,281 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4004
2020-06-20 08:07:50,359 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-20 08:07:50,359 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-20 08:07:50,359 [root] INFO: Disabling sleep skipping.
2020-06-20 08:07:50,359 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-20 08:07:50,375 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4004 at 0x73640000, image base 0xc40000, stack from 0x1a6000-0x1b0000
2020-06-20 08:07:50,390 [root] DEBUG: Commandline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\taskkill  \F \PID 3272.
2020-06-20 08:07:50,453 [root] INFO: Loaded monitor into process with pid 4004
2020-06-20 08:07:50,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x00B50000 to global list.
2020-06-20 08:07:50,484 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 4004).
2020-06-20 08:07:50,500 [root] INFO: Stopping WMI Service
2020-06-20 08:07:58,328 [root] INFO: Stopped WMI Service
2020-06-20 08:07:58,750 [lib.api.process] INFO: Monitor config for process 588: C:\tmpt2nfl3rg\dll\588.ini
2020-06-20 08:07:58,781 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:07:58,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:07:58,796 [root] DEBUG: Loader: Injecting process 588 (thread 0) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:07:58,812 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD8000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD6000: The operation completed successfully.
2020-06-20 08:07:58,843 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-20 08:07:58,843 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-20 08:07:58,859 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-20 08:07:58,875 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-20 08:07:58,890 [root] INFO: Disabling sleep skipping.
2020-06-20 08:07:58,890 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 588 at 0x000000006D0C0000, image base 0x00000000FFC60000, stack from 0x00000000013A6000-0x00000000013B0000
2020-06-20 08:07:58,921 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-06-20 08:07:58,984 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-20 08:07:59,015 [root] WARNING: b'Unable to hook LockResource'
2020-06-20 08:07:59,062 [root] INFO: Loaded monitor into process with pid 588
2020-06-20 08:07:59,062 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-20 08:07:59,109 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-20 08:07:59,109 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:08:01,140 [root] INFO: Starting WMI Service
2020-06-20 08:08:01,296 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2432, handle 0x5ec.
2020-06-20 08:08:03,859 [root] INFO: Started WMI Service
2020-06-20 08:08:03,859 [lib.api.process] INFO: Monitor config for process 2432: C:\tmpt2nfl3rg\dll\2432.ini
2020-06-20 08:08:03,875 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\ZNZQzN.dll, loader C:\tmpt2nfl3rg\bin\AELworbq.exe
2020-06-20 08:08:03,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oVScch.
2020-06-20 08:08:03,921 [root] DEBUG: Loader: Injecting process 2432 (thread 0) with C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:08:03,921 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD5000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFDD000: The operation completed successfully.
2020-06-20 08:08:03,937 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1820, handle 0xa8
2020-06-20 08:08:03,937 [root] DEBUG: Process image base: 0x00000000FFC60000
2020-06-20 08:08:03,937 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-20 08:08:03,953 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-20 08:08:03,953 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-20 08:08:03,953 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-20 08:08:04,000 [root] INFO: Disabling sleep skipping.
2020-06-20 08:08:04,015 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 2432 at 0x000000006D0C0000, image base 0x00000000FFC60000, stack from 0x0000000001246000-0x0000000001250000
2020-06-20 08:08:04,015 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-20 08:08:04,046 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-20 08:08:04,062 [root] WARNING: b'Unable to hook LockResource'
2020-06-20 08:08:04,078 [root] INFO: Loaded monitor into process with pid 2432
2020-06-20 08:08:04,078 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-20 08:08:04,078 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-20 08:08:04,078 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\ZNZQzN.dll.
2020-06-20 08:08:06,078 [root] DEBUG: DLL loaded at 0x77150000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-20 08:08:06,093 [root] DEBUG: DLL loaded at 0x6D0B0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-20 08:08:06,140 [root] DEBUG: DLL loaded at 0x6D040000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-20 08:08:06,156 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-20 08:08:06,156 [root] DEBUG: DLL loaded at 0x73A00000: C:\Windows\system32\Winsta (0x29000 bytes).
2020-06-20 08:08:06,156 [root] DEBUG: DLL unloaded from 0x00C40000.
2020-06-20 08:08:06,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x190 amd local view 0x03840000 to global list.
2020-06-20 08:08:06,187 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\SysWOW64\CRYPTSP (0x17000 bytes).
2020-06-20 08:08:06,218 [root] DEBUG: DLL loaded at 0x748F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-20 08:08:06,218 [root] DEBUG: DLL loaded at 0x74010000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2020-06-20 08:08:06,343 [root] DEBUG: DLL loaded at 0x6D020000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-20 08:08:06,375 [root] DEBUG: DLL unloaded from 0x73A00000.
2020-06-20 08:08:06,390 [root] DEBUG: DLL unloaded from 0x6D020000.
2020-06-20 08:08:06,390 [root] DEBUG: DLL unloaded from 0x6D0B0000.
2020-06-20 08:08:06,406 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4004
2020-06-20 08:08:06,406 [root] DEBUG: GetHookCallerBase: thread 892 (handle 0x0), return address 0x00C4176E, allocation base 0x00C40000.
2020-06-20 08:08:06,421 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00C40000.
2020-06-20 08:08:06,437 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-20 08:08:06,453 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00C40000.
2020-06-20 08:08:06,453 [root] DEBUG: DumpProcess: Module entry point VA is 0x00005C89.
2020-06-20 08:08:06,468 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x13000.
2020-06-20 08:08:06,468 [root] DEBUG: DLL unloaded from 0x75770000.
2020-06-20 08:08:06,484 [root] INFO: Process with pid 4004 has terminated
2020-06-20 08:08:06,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00220000 to global list.
2020-06-20 08:08:06,656 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2452
2020-06-20 08:08:06,656 [root] DEBUG: GetHookCallerBase: thread 3024 (handle 0x0), return address 0x4A217302, allocation base 0x4A210000.
2020-06-20 08:08:06,656 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A210000.
2020-06-20 08:08:06,656 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-20 08:08:06,656 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A210000.
2020-06-20 08:08:06,671 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-06-20 08:08:06,671 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-06-20 08:08:06,687 [root] DEBUG: DLL unloaded from 0x75770000.
2020-06-20 08:08:06,687 [root] INFO: Process with pid 2452 has terminated
2020-06-20 08:08:06,718 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3272
2020-06-20 08:08:06,718 [root] DEBUG: GetHookCallerBase: thread 1152 (handle 0x0), return address 0x73671698, allocation base 0x73640000.
2020-06-20 08:08:06,718 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-20 08:08:06,734 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-20 08:08:06,734 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-20 08:08:06,750 [root] DEBUG: DumpProcess: Error - entry point too big: 0x738b7cef, ignoring.
2020-06-20 08:08:06,750 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x29600.
2020-06-20 08:08:06,765 [root] DEBUG: DLL unloaded from 0x75770000.
2020-06-20 08:08:06,765 [root] DEBUG: DLL unloaded from 0x737A0000.
2020-06-20 08:08:06,781 [root] DEBUG: DLL unloaded from 0x72DA0000.
2020-06-20 08:08:06,812 [root] DEBUG: DLL unloaded from 0x73720000.
2020-06-20 08:08:06,828 [root] INFO: Process with pid 3272 has terminated
2020-06-20 08:08:31,359 [root] DEBUG: DLL loaded at 0x000007FEF6EB0000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-06-20 08:08:31,359 [root] DEBUG: DLL loaded at 0x000007FEFB420000: C:\Windows\system32\ATL (0x19000 bytes).
2020-06-20 08:08:31,375 [root] DEBUG: DLL loaded at 0x000007FEF6E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-06-20 08:08:31,406 [root] DEBUG: DLL loaded at 0x000007FEFABC0000: C:\Windows\system32\samcli (0x14000 bytes).
2020-06-20 08:08:31,421 [root] DEBUG: DLL loaded at 0x000007FEFBBF0000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-06-20 08:08:31,453 [root] DEBUG: DLL loaded at 0x000007FEFB690000: C:\Windows\system32\netutils (0xc000 bytes).
2020-06-20 08:08:31,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 amd local view 0x00000000011B0000 to global list.
2020-06-20 08:08:31,484 [root] DEBUG: DLL unloaded from 0x000007FEF6E60000.
2020-06-20 08:08:38,609 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-20 08:08:38,609 [lib.api.process] INFO: Terminate event set for process 588
2020-06-20 08:08:38,609 [root] DEBUG: Terminate Event: Attempting to dump process 588
2020-06-20 08:08:38,609 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFC60000.
2020-06-20 08:08:38,609 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-20 08:08:38,625 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFC60000.
2020-06-20 08:08:38,625 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-20 08:08:38,656 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-20 08:08:38,656 [lib.api.process] INFO: Termination confirmed for process 588
2020-06-20 08:08:38,656 [root] INFO: Terminate event set for process 588.
2020-06-20 08:08:38,656 [lib.api.process] INFO: Terminate event set for process 2432
2020-06-20 08:08:38,687 [root] DEBUG: Terminate Event: Attempting to dump process 2432
2020-06-20 08:08:38,687 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 588
2020-06-20 08:08:38,687 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFC60000.
2020-06-20 08:08:38,687 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-20 08:08:38,734 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFC60000.
2020-06-20 08:08:38,734 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-20 08:08:38,750 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-20 08:08:38,750 [lib.api.process] INFO: Termination confirmed for process 2432
2020-06-20 08:08:38,750 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2432
2020-06-20 08:08:38,750 [root] INFO: Terminate event set for process 2432.
2020-06-20 08:08:38,750 [root] INFO: Created shutdown mutex.
2020-06-20 08:08:39,750 [root] INFO: Shutting down package.
2020-06-20 08:08:39,765 [root] INFO: Stopping auxiliary modules.
2020-06-20 08:08:39,968 [lib.common.results] WARNING: File C:\uCiRQoRacp\bin\procmon.xml doesn't exist anymore
2020-06-20 08:08:39,968 [root] INFO: Finishing auxiliary modules.
2020-06-20 08:08:39,968 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-20 08:08:39,968 [root] WARNING: Folder at path "C:\uCiRQoRacp\debugger" does not exist, skip.
2020-06-20 08:08:39,984 [root] WARNING: Monitor injection attempted but failed for process 4308.
2020-06-20 08:08:39,984 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_2 win7x64_6 KVM 2020-06-20 10:16:54 2020-06-20 10:24:01

File Details

File Name NmXRQqik
File Size 22016 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2076-09-04 00:14:39
MD5 5db10902ecc492c772926f47c14a6b44
SHA1 df2e0550fa3123e4718e7f36a00f825be7f4f2ee
SHA256 89f08e47a8ba6e70c1e313ffd49959a5966f07b2ae77f1afead296ff3146c89c
SHA512 b8a157def3a5305c6c1a5d3ea265d715969a857aaf19d6eeb0b9d1ab4d73305cb87062d6ff00f8b9457eb28009aac54b30760415a919188cec7de149c7ac6ca4
CRC32 BAB2821A
Ssdeep 384:7rLnWEFHLTWlLBqGdNyV++jIpHSEpx3NIff1ZJKJfDseFMtREPZ:HLnWEdLCRBzSNmxL5g2
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: "cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4172 trigged the Yara rule 'vmdetect'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/QueryPerformanceFrequency
DynamicLoader: KERNEL32.dll/QueryPerformanceCounter
DynamicLoader: rasapi32.dll/RasEnumConnections
DynamicLoader: rasapi32.dll/RasEnumConnectionsW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSASocket
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: KERNEL32.dll/FormatMessage
DynamicLoader: KERNEL32.dll/FormatMessageW
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: rasapi32.dll/RasConnectionNotification
DynamicLoader: rasapi32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: ADVAPI32.dll/RegOpenCurrentUser
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpOpenW
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: winhttp.dll/WinHttpCloseHandleW
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpSetTimeoutsW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: winhttp.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: KERNEL32.dll/GetTimeZoneInformation
DynamicLoader: KERNEL32.dll/ResetEvent
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: IPHLPAPI.DLL/GetNetworkParams
DynamicLoader: DNSAPI.dll/DnsQueryConfig
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: IPHLPAPI.DLL/GetIpInterfaceEntry
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/WSAConnect
DynamicLoader: secur32.dll/EnumerateSecurityPackagesW
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: secur32.dll/FreeCredentialsHandle
DynamicLoader: secur32.dll/AcquireCredentialsHandleW
DynamicLoader: schannel.dll/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: secur32.dll/DeleteSecurityContext
DynamicLoader: secur32.dll/InitializeSecurityContextW
DynamicLoader: WS2_32.dll/send
DynamicLoader: WS2_32.dll/recv
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: secur32.dll/QueryContextAttributesW
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: ncrypt.dll/SslLookupCipherLengths
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContextW
DynamicLoader: CRYPT32.dll/CertCloseStore
DynamicLoader: CRYPT32.dll/CertDuplicateStore
DynamicLoader: CRYPT32.dll/CertDuplicateStoreW
DynamicLoader: CRYPT32.dll/CertEnumCertificatesInStore
DynamicLoader: CRYPT32.dll/CertEnumCertificatesInStoreW
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertOpenStore
DynamicLoader: CRYPT32.dll/CertOpenStoreW
DynamicLoader: CRYPT32.dll/CertAddCertificateLinkToStore
DynamicLoader: CRYPT32.dll/CertAddCertificateLinkToStoreW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: KERNEL32.dll/GetDynamicTimeZoneInformation
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileMUIPath
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: KERNEL32.dll/FreeLibraryW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: CRYPT32.dll/CertGetCertificateChainW
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptGetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChainW
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicyW
DynamicLoader: KERNEL32.dll/SetLastError
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: secur32.dll/EncryptMessage
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: secur32.dll/DecryptMessage
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/CreateProcessInternalW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/TerminateProcess
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/FindNextFile
DynamicLoader: KERNEL32.dll/FindNextFileW
DynamicLoader: KERNEL32.dll/CreateProcessInternalW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/Wow64GetThreadContext
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/Wow64SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/ExpandEnvironmentStrings
DynamicLoader: KERNEL32.dll/ExpandEnvironmentStringsW
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/QueryPerformanceFrequency
DynamicLoader: KERNEL32.dll/QueryPerformanceCounter
DynamicLoader: rasapi32.dll/RasEnumConnections
DynamicLoader: rasapi32.dll/RasEnumConnectionsW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSASocket
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: KERNEL32.dll/FormatMessage
DynamicLoader: KERNEL32.dll/FormatMessageW
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: rasapi32.dll/RasConnectionNotification
DynamicLoader: rasapi32.dll/RasConnectionNotificationW
DynamicLoader: ADVAPI32.dll/RegOpenCurrentUser
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpOpenW
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: winhttp.dll/WinHttpCloseHandleW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpSetTimeoutsW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: winhttp.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: KERNEL32.dll/GetTimeZoneInformation
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: KERNEL32.dll/ResetEvent
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: WS2_32.dll/WSAConnect
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/send
DynamicLoader: WS2_32.dll/select
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/recv
DynamicLoader: WS2_32.dll/shutdown
DynamicLoader: diasymreader.dll/DllGetClassObject
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CreatePipe
DynamicLoader: KERNEL32.dll/CreatePipeW
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentDirectory
DynamicLoader: KERNEL32.dll/GetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetConsoleOutputCP
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: Winsta.dll/WinStationFreeMemory
DynamicLoader: Winsta.dll/WinStationCloseServer
DynamicLoader: Winsta.dll/WinStationOpenServerW
DynamicLoader: Winsta.dll/WinStationFreeGAPMemory
DynamicLoader: Winsta.dll/WinStationGetAllProcesses
DynamicLoader: Winsta.dll/WinStationEnumerateProcesses
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
Encrypts a single HTTP packet
http_request: GET /VTyrTKEGsonfvV HTTP/1.1 Host: yfw16.tokyofunkowildvaley.ru Connection: Keep-Alive
A process created a hidden window
Process: AddInProcess32.exe -> "cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
CAPE extracted potentially suspicious content
NmXRQqik.exe: Unpacked Shellcode
NmXRQqik.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
NmXRQqik.exe: Injected PE Image: 32-bit executable
AddInProcess32.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
NmXRQqik.exe: Unpacked Shellcode
NmXRQqik.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
AddInProcess32.exe: Unpacked Shellcode
Drops a binary and executes it
binary: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
post_no_useragent: HTTP traffic contains a POST request with no user-agent header
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://195.2.71.110/IRemotePanel
Performs some HTTP requests
url: http://195.2.71.110/IRemotePanel
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\NmXRQqik
Anomalous .NET characteristics
anomalous_version: Assembly version is set to 0
Uses Windows utilities for basic functionality
command: "cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Behavioural detection: Injection (Process Hollowing)
Injection: NmXRQqik.exe(4172) -> AddInProcess32.exe(3272)
Executed a process and injected code into it, probably while unpacking
Injection: NmXRQqik.exe(4172) -> AddInProcess32.exe(3272)
Behavioural detection: Injection (inter-process)
File has been identified by 54 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Spider.1
FireEye: Generic.mg.5db10902ecc492c7
CAT-QuickHeal: Trojan.Multi
ALYac: Trojan.Downloader.MSIL.Seraph
Malwarebytes: Trojan.Downloader
VIPRE: Trojan.Win32.Generic!BT
Sangfor: Malware
K7AntiVirus: Trojan ( 0056879b1 )
Alibaba: TrojanDownloader:Win32/Ymacco.79bc605b
K7GW: Trojan ( 0056879b1 )
Arcabit: Trojan.Spider.1
Invincea: heuristic
BitDefenderTheta: Gen:[email protected]
Cyren: W32/Trojan.SSRY-9221
Symantec: ML.Attribute.HighConfidence
TrendMicro-HouseCall: TROJ_FRS.0NA103FE20
Avast: Win32:DropperX-gen [Drp]
Kaspersky: HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender: Gen:Variant.Spider.1
Paloalto: generic.ml
AegisLab: Trojan.Multi.Generic.4!c
Tencent: Msil.Trojan-downloader.Agent.Szvl
Ad-Aware: Gen:Variant.Spider.1
Emsisoft: Gen:Variant.Spider.1 (B)
F-Secure: Trojan.TR/Dldr.Agent.jhnue
DrWeb: Trojan.KillProc2.10930
TrendMicro: TROJ_FRS.0NA103FE20
McAfee-GW-Edition: RDN/Generic Downloader.x
SentinelOne: DFI - Malicious PE
Sophos: Mal/Generic-S
APEX: Malicious
Jiangmin: TrojanDownloader.MSIL.vsu
eGambit: Unsafe.AI_Score_93%
Avira: TR/Dldr.Agent.jhnue
MAX: malware (ai score=87)
Antiy-AVL: Trojan[Downloader]/MSIL.Seraph
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Ymacco.AA89
ZoneAlarm: HEUR:Trojan-Downloader.MSIL.Seraph.gen
Cynet: Malicious (score: 85)
McAfee: RDN/Generic Downloader.x
VBA32: TScope.Trojan.MSIL
Cylance: Unsafe
ESET-NOD32: a variant of MSIL/TrojanDownloader.Agent.GJN
Fortinet: MSIL/Agent.GJN!tr.dldr
Rising: Downloader.Agent!8.B23 (CLOUD)
Yandex: Trojan.DL.Agent!+AAm8zwClC8
Ikarus: Trojan-Downloader.MSIL.Agent
MaxSecure: Trojan.Malware.300983.susgen
GData: Gen:Variant.Spider.1
AVG: Win32:DropperX-gen [Drp]
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_90% (W)
Qihoo-360: Generic/Trojan.Downloader.021
Attempts to create or modify system certificates
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Uses suspicious command line tools or Windows utilities
command: "cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
command: "cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
command: taskkill /F /PID 3272

Screenshots


Hosts

Direct IP Country Name
N 81.177.141.11 [VT] Russian Federation
Y 8.8.8.8 [VT] United States
Y 2.16.186.33 [VT] Europe
Y 195.2.71.110 [VT] Russian Federation
Y 13.107.42.23 [VT] United States

DNS

Name Response Post-Analysis Lookup
yfw16.tokyofunkowildvaley.ru [VT] A 81.177.141.11 [VT] 81.177.141.11 [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\NmXRQqik.exe.config
C:\Users\Louise\AppData\Local\Temp\NmXRQqik.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Chiffonier\*
C:\Users\Louise\AppData\Local\Temp\NmXRQqik.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\rasapi32.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ws2_32.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\winhttp.dll
C:\Windows\System32\tzres.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\iphlpapi.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\secur32.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\crypt32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CRYPT32.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Louise\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\Louise\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\Louise\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Windows\System32\dnsapi.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\*.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.Config
C:\Windows\assembly\NativeImages_v4.0.30319_32\Nope\*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\d84a4c1cb8dbcdd0730bc62564d6c96c\System.ServiceModel.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\d84a4c1cb8dbcdd0730bc62564d6c96c\System.ServiceModel.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Messaging\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Web.Services\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\System.Runtime.DurableInstancing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel.Selectors\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Web.ApplicationServices\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.ApplicationServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ccaf6d342acbed1a798d02e711dec6bd\System.Runtime.Serialization.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ccaf6d342acbed1a798d02e711dec6bd\System.Runtime.Serialization.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\0ea80706f16fdfa7b82d29bd761a0085\SMDiagnostics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\0ea80706f16fdfa7b82d29bd761a0085\SMDiagnostics.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\38a0295dd67142d3b8572313e9004d44\System.ServiceModel.Internals.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\38a0295dd67142d3b8572313e9004d44\System.ServiceModel.Internals.ni.dll.aux
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb
C:\Windows\symbols\dll\System.ServiceModel.pdb
C:\Windows\dll\System.ServiceModel.pdb
C:\Windows\System.ServiceModel.pdb
\Device\NamedPipe\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\taskkill.*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\taskkill
C:\Python27\taskkill.*
C:\Python27\taskkill
C:\Python27\Scripts\taskkill.*
C:\Python27\Scripts\taskkill
C:\Windows\System32\taskkill.*
C:\Windows\System32\taskkill.COM
C:\Windows\System32\taskkill.exe
C:\
\Device\KsecDD
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\NmXRQqik.exe.config
C:\Users\Louise\AppData\Local\Temp\NmXRQqik.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.Config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\d84a4c1cb8dbcdd0730bc62564d6c96c\System.ServiceModel.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\d84a4c1cb8dbcdd0730bc62564d6c96c\System.ServiceModel.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ccaf6d342acbed1a798d02e711dec6bd\System.Runtime.Serialization.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ccaf6d342acbed1a798d02e711dec6bd\System.Runtime.Serialization.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\0ea80706f16fdfa7b82d29bd761a0085\SMDiagnostics.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\0ea80706f16fdfa7b82d29bd761a0085\SMDiagnostics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\38a0295dd67142d3b8572313e9004d44\System.ServiceModel.Internals.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\38a0295dd67142d3b8572313e9004d44\System.ServiceModel.Internals.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb
C:\Windows\symbols\dll\System.ServiceModel.pdb
C:\Windows\dll\System.ServiceModel.pdb
C:\Windows\System.ServiceModel.pdb
\Device\NamedPipe\
\Device\KsecDD
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
\??\PIPE\samr
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NmXRQqik.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xed\xae\x98\xc3\x89EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\NmXRQqik_RASAPI32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileDirectory
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableFileTracing
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileTracingMask
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableConsoleTracing
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\ConsoleTracingMask
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\MaxFileSize
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
\xfb98\xc9EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xfb98\xc9EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
\xfb98\xc9EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableNullRecordSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterDomainName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\DhcpDomain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{846EE342-7039-11DE-9D20-806E6F6E6963}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\SearchList
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\NodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpNodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\ScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableProxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableDns
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1e4\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AddInProcess.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\client
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AddInProcess32.exe
\xf7b8\x21bEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.SMDiagnostics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.SMDiagnostics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.IdentityModel__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.IdentityModel__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Transactions.Bridge__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Transactions.Bridge__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Messaging__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Messaging__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Net.Http__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Net.Http__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.DurableInstancing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.DurableInstancing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.IdentityModel.Selectors__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.IdentityModel.Selectors__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web.ApplicationServices__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web.ApplicationServices__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
\xd010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AddInProcess32_RASAPI32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileDirectory
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableFileTracing
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileTracingMask
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableConsoleTracing
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\ConsoleTracingMask
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\MaxFileSize
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileDirectory
\x3010\x22bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\x3010\x22bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\x3010\x22bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_CURRENT_USER\Control Panel\Desktop\LanguageConfiguration
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\taskkill.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xed\xae\x98\xc3\x89EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableFileTracing
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileTracingMask
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableConsoleTracing
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\ConsoleTracingMask
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\MaxFileSize
\xfb98\xc9EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
\xfb98\xc9EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xfb98\xc9EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
\xfb98\xc9EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableNullRecordSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\AdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{904D2269-4DBE-41E3-885E-48DAF5904320}\DhcpDomain
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\SearchList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\NodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpNodeType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\ScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpScopeId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableProxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableDns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
\xf7b8\x21bEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xd010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableFileTracing
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileTracingMask
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableConsoleTracing
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\ConsoleTracingMask
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\MaxFileSize
\xf010\x22aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileDirectory
\x3010\x22bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\x3010\x22bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\x3010\x22bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\NmXRQqik_RASAPI32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\NmXRQqik_RASAPI32\FileDirectory
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\LanguageList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AddInProcess32_RASAPI32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.CompareStringOrdinal
kernel32.dll.GetFullPathNameW
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
ntdll.dll.NtQuerySystemInformation
kernel32.dll.GetFileAttributesExW
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.CreateEventW
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.QueryPerformanceCounter
rasapi32.dll.RasEnumConnectionsW
rtutils.dll.TraceRegisterExA
rtutils.dll.TracePrintfExA
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceStatus
sechost.dll.CloseServiceHandle
ws2_32.dll.WSAStartup
ws2_32.dll.WSASocketW
ws2_32.dll.setsockopt
ws2_32.dll.WSAEventSelect
ws2_32.dll.ioctlsocket
ws2_32.dll.closesocket
ws2_32.dll.WSAIoctl
kernel32.dll.FormatMessageW
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegOpenCurrentUser
advapi32.dll.RegNotifyChangeKeyValue
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSetTimeouts
kernel32.dll.LocalFree
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
nsi.dll.NsiFreeTable
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.SetEvent
kernel32.dll.GetTimeZoneInformation
kernel32.dll.ResetEvent
iphlpapi.dll.GetNetworkParams
dnsapi.dll.DnsQueryConfig
iphlpapi.dll.GetAdaptersAddresses
iphlpapi.dll.GetIpInterfaceEntry
iphlpapi.dll.GetBestInterfaceEx
kernel32.dll.LocalAlloc
ws2_32.dll.GetAddrInfoW
ws2_32.dll.freeaddrinfo
ws2_32.dll.WSAConnect
secur32.dll.EnumerateSecurityPackagesW
secur32.dll.FreeContextBuffer
secur32.dll.FreeCredentialsHandle
secur32.dll.AcquireCredentialsHandleW
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
secur32.dll.DeleteSecurityContext
secur32.dll.InitializeSecurityContextW
ws2_32.dll.send
ws2_32.dll.recv
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
secur32.dll.QueryContextAttributesW
ncrypt.dll.SslLookupCipherSuiteInfo
ncrypt.dll.SslLookupCipherLengths
crypt32.dll.CertFreeCertificateContext
crypt32.dll.CertDuplicateCertificateContext
crypt32.dll.CertGetCertificateContextProperty
crypt32.dll.CertCloseStore
crypt32.dll.CertDuplicateStore
crypt32.dll.CertEnumCertificatesInStore
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertOpenStore
crypt32.dll.CertAddCertificateLinkToStore
kernel32.dll.GetDynamicTimeZoneInformation
kernel32.dll.GetFileMUIPath
kernel32.dll.LoadLibraryExW
kernel32.dll.FreeLibrary
user32.dll.LoadStringW
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.QueryServiceConfigW
cryptsp.dll.CryptAcquireContextA
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
cryptsp.dll.CryptGetKeyParam
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyHash
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
crypt32.dll.CertDuplicateCertificateChain
crypt32.dll.CertVerifyCertificateChainPolicy
kernel32.dll.SetLastError
secur32.dll.EncryptMessage
ncrypt.dll.SslEncryptPacket
secur32.dll.DecryptMessage
ncrypt.dll.SslDecryptPacket
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.LoadLibraryA
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetProcAddress
kernel32.dll.CreateProcessInternalW
kernel32.dll.IsWow64Process
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.GetThreadContext
kernel32.dll.TerminateProcess
kernel32.dll.FindNextFileW
kernel32.dll.Wow64GetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.GetStdHandle
advapi32.dll.EventUnregister
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
rpcrt4.dll.RpcBindingFree
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
kernel32.dll.ExpandEnvironmentStringsW
ole32.dll.CoCreateGuid
ws2_32.dll.select
ws2_32.dll.WSASend
ws2_32.dll.shutdown
diasymreader.dll.DllGetClassObject
kernel32.dll.CreatePipe
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.CreateProcessW
kernel32.dll.GetConsoleOutputCP
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
winsta.dll.WinStationFreeMemory
winsta.dll.WinStationCloseServer
winsta.dll.WinStationOpenServerW
winsta.dll.WinStationFreeGAPMemory
winsta.dll.WinStationGetAllProcesses
winsta.dll.WinStationEnumerateProcesses
ntdll.dll.EtwUnregisterTraceGuids
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoTaskMemRealloc
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"cmd.exe" /C taskkill /F /PID 3272 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
taskkill /F /PID 3272

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00406a12 0x00000000 0x0000e664 4.0 2076-09-04 00:14:39 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00004a18 0x00004c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.34
.rsrc 0x00004e00 0x00008000 0x000004e4 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.73
.reloc 0x00005400 0x0000a000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.08

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x00008090 0x00000254 LANG_NEUTRAL SUBLANG_NEUTRAL 3.15 None
RT_MANIFEST 0x000082f4 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name Chiffonier
Version 0.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
System 4.0.0.0

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Security.Permissions.SecurityAction
mscorlib System.Security.Permissions.SecurityPermissionAttribute
mscorlib System.Security.UnverifiableCodeAttribute
mscorlib System.Object
mscorlib System.ParamArrayAttribute
mscorlib System.Action
mscorlib System.Func`1
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Reflection.MethodInfo
mscorlib System.Text.StringBuilder
mscorlib System.Collections.Generic.IEnumerator`1
mscorlib System.Runtime.ConstrainedExecution.Consistency
mscorlib System.Runtime.ConstrainedExecution.Cer
mscorlib System.Runtime.ConstrainedExecution.ReliabilityContractAttribute
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
mscorlib System.ValueType
mscorlib System.Console
System System.Net.ServicePointManager
System System.Net.SecurityProtocolType
mscorlib System.Runtime.InteropServices.ExternalException
mscorlib System.String
mscorlib System.Text.Encoding
mscorlib System.Convert
mscorlib System.Char
mscorlib System.IO.Directory
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.Collections.IEnumerator
mscorlib System.IDisposable
System System.Net.WebClient
mscorlib System.Activator
mscorlib System.IntPtr
mscorlib System.Runtime.InteropServices.Marshal
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
mscorlib System.Reflection.MethodBase
mscorlib System.Int32
mscorlib System.IO.Path
mscorlib System.Byte
mscorlib System.Buffer
mscorlib System.Array

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
v4.0.30319
#Strings
#GUID
#Blob
<>c__DisplayClass2_0
<SystemDataRBTreeNodeColorP>b__0
<>c__DisplayClass2_1
<SystemDataRBTreeNodeColorP>b__1
Func`1
IEnumerable`1
IEnumerator`1
CS$<>8__locals1
kernel32
Int32
<>c__DisplayClass2_2
<SystemDataRBTreeNodeColorP>b__2
cbReserved2
lpReserved2
CS$<>8__locals2
<>c__DisplayClass2_3
<>9__3
<SystemDataRBTreeNodeColorP>b__3
CS$<>8__locals3
ToInt64
isWow64
get_UTF8
<Module>
SystemRuntimeInteropServicesComTypesTYMEDA
SystemConfigurationUriSectionReaderA
SystemNetMailMBDataTypeC
SystemDataStatementTypeE
MicrosoftWinSessionEndReasonsE
MicrosoftWinUnsafeNativeMethodsCOMSTATH
get_ASCII
SystemSecurityCryptographyXCertificatesXChainElementCollectionI
lpProcesSystemNetTunnelStateObjectK
SystemNetSocketsAcceptOverlappedAsyncResultL
NewtonsoftJsonUtilitiesDictionaryWrappercN
SystemNetConfigurationSmtpSectionSmtpDeliveryFormatTypeConverterN
System.IO
SystemDataRBTreeNodeColorP
SystemCodeDomCodeArgumentReferenceExpressionQ
SystemNetServerCertValidationCallbackCallbackContextQ
SystemNetMimeEncodedStreamFactoryQ
ThrowExceptionForHR
NewtonsoftJsonLinqJRawCreateAsyncdS
NewtonsoftJsonJsonTextWriterDoWriteCommentAsyncdS
SystemNetAuthenticationStateT
SystemCodeDomCodeLinePragmaU
SystemNetFtpDataStreamU
get_SystemNetHttpResponseHeaderU
set_SystemNetHttpResponseHeaderU
SystemComponentModelDesignComponentEventHandlerU
SystemDataSqlClientActiveDirectoryAuthenticationTimeoutRetryHelperU
SystemNetCertificateEncodingX
SystemIOCompressionGZipDecoderGZipOptionalHeaderFlagsZ
MicrosoftWinUnsafeNativeMethodsma
SizeOfRawData
PointerToRawData
SystemNetWebRequestWebProxyWrapperOpaqueb
mscorlib
Magic
e_magic
System.Collections.Generic
dwThreadId
dwProcessId
hThread
lpReserved
<SystemNetHttpResponseHeaderU>k__BackingField
<SystemComponentModelDesignHelpContextTypef>k__BackingField
GetMethod
method
third
get_Password
set_Password
MicrosoftWinSessionEndReasonsEasd
Replace
CreateInstance
exitCode
SizeOfImage
EndInvoke
BeginInvoke
IDisposable
RuntimeTypeHandle
GetTypeFromHandle
handle
Console
lpTitle
hModule
procName
fileName
lpApplicationName
SystemComponentModelCollectionChangeActionwtionName
GetDirectoryName
lpCommandLine
WriteLine
ValueType
SecurityProtocolType
flAllocationType
SystemNetUploadValuesCompletedEventHandlere
Signature
MethodBase
ImageBase
Dispose
MulticastDelegate
CompilerGeneratedAttribute
UnverifiableCodeAttribute
DebuggableAttribute
ComVisibleAttribute
TargetFrameworkAttribute
dwFillAttribute
SecurityPermissionAttribute
CompilationRelaxationsAttribute
ReliabilityContractAttribute
ParamArrayAttribute
RuntimeCompatibilityAttribute
SetByte
value
set_Expect100Continue
Chiffonier.exe
dwXSize
dwYSize
nSize
dwSize
SizeOf
get_SystemComponentModelDesignHelpContextTypef
set_SystemComponentModelDesignHelpContextTypef
SystemComponentModelEditorAttributef
SystemDataOdbcOdbcParameterf
Encoding
System.Runtime.Versioning
FromBase64String
DownloadString
ToString
GetString
SystemNetMailSendCompletedEventHandlerg
SystemDataSqlClientSqlCommandcDisplayClassg
SystemDataProviderBaseDbConnectionClosedNeverOpenedh
SystemDataCommonDBConnectionStringh
get_Length
NewtonsoftJsonLinqJsonPathScanFilterExecuteFilterdj
AsyncCallback
callback
SystemSecurityCryptographyXCertificatesXChainElementCollectionk
AllocHGlobal
FreeHGlobal
Marshal
kernel32.dll
get_SecurityProtocol
set_SecurityProtocol
System
MicrosoftWinUnsafeNativeMethodsm
SystemDataSqlClientSqlBulkCopycDisplayClassm
hToken
hNewToken
lpNumberOfBytesWritten
SystemComponentModelDesignSerializationContextStackn
SecurityAction
System.Reflection
section
ExternalException
System.Runtime.ConstrainedExecution
MethodInfo
lpStartupInfo
SystemMediaSoundPlayerNativeMethodsMMCKINFOp
lpDesktop
get_SystemSecurityCryptographyXCertificatesXSubjectKeyIdentifierExtensionq
set_SystemSecurityCryptographyXCertificatesXSubjectKeyIdentifierExtensionq
get_SystemDataCommonUnsafeNativeMethodsIColumnsInfoq
SystemCollectionsSpecializedNameObjectCollectionBaseNameObjectKeysEnumeratorq
FileHeader
OptionalHeader
StringBuilder
Buffer
ServicePointManager
Chiffonier
GetHRForLastWin32Error
hStdError
IEnumerator
GetEnumerator
Activator
.ctor
.cctor
IntPtr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
bInheritHandles
EnumerateFiles
lpThreadAttributes
lpProcessAttributes
dwCreationFlags
ContextFlags
dwFlags
BunifuFrameworkUIBunifuForms
System.Security.Permissions
NumberOfSections
System.Collections
get_Chars
dwXCountChars
dwYCountChars
SizeOfHeaders
hProcess
GetProcAddress
lpBaseAddress
VirtualAddress
lpAddress
address
AppendFormat
Object
object
flProtect
System.Net
op_Explicit
IAsyncResult
result
WebClient
lpEnvironment
get_Current
AddressOfEntryPoint
Convert
hStdInput
hStdOutput
MoveNext
System.Text
pContext
NewtonsoftJsonLinqJTokenAnnotationsdu
e_lfanew
SystemComponentModelCollectionChangeActionw
wShowWindow
SystemCollectionsGenericLinkedListEnumeratorw
SystemExceptionResourcex
SystemNetMailDotAtomReaderx
MicrosoftWinNativeMethodsPERFOBJECTTYPEy
Array
Consistency
LoadLibrary
FreeLibrary
lpCurrentDirectory
op_Equality
op_Inequality
System.Security
Empty
SystemNetNetworkInformationMibIfRowy
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
WrapNonExceptionThrows
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
SystemConfigurationConfigXmlSignificantWhitespacev
CollectionsGenericSortedDictionaryKeyCollectioncDisplayClassS
FCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSj83JiRwCyMwIXhhJHQ/CxMVKS8IVQ8kHSsWMCYpMQMyIxsrHhJ2KRZwXi8LVzlgCQZzMj4oKiEnHARn
DCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSCxyKRcFMms=
JCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSg0VdREKKmAmH3hnHSskPTwrUmYIVDVnJXcddBAvEyAOVC0hHQ0dLRAFMWMmCAtjC3QdEBcaLQM5VhcaJHd+MCgsPQE=
GEGErBgVjfAR
FCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSnd+MhcTWms=
GetDelegateForFunctionPointer
JCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSncRPBAvMSUnHAgnHQI/Ng==
JCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSSsVLhAFECMwITkh
FCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSnYNKSsaNTo/LgskHncRPxFyCyMOIRcrJSgBNiQ1Wms=
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSQIRPBAVCyMzPhM+Eg0NMytwMSwJEXxv
FCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSnc/MxFwMR8zMXQ5JQISeA==
FCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSB0JHRBxBGQkIAMrJXcJKRFxKms=
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSysVExAvVj4JIBsiHR0jFSguKTozVRMiJXdzeA==
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSSgrPBYKMT4IIwchJQJ+LyAaAGs=
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSXYNNRYFMQcJC3g4HR0JPyYVMSIIVQtn
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSXd+djwoNR4wPhMHJg0NKSsVNRIIVHRiHR0vdQ==
FCollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSXcRdSQFDy8wMQc5Fnd+MBYFMWIOJ3xv
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSXd+djwoNQIwPhMHJg0NKSsVNRIIVHRiHR0vdQ==
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSncRdSQFDy8wMQc5Fnd+MBYFMWIOJ3xv
ECollectionsGenericSortedDictionaryKeyCollectioncDisplayClassSigRPxYVVjo8ISkrHRIBLg==
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
FileVersion
0.0.0.0
InternalName
Chiffonier.exe
LegalCopyright
OriginalFilename
Chiffonier.exe
ProductVersion
0.0.0.0
Assembly Version
0.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Gen:Variant.Spider.1 FireEye Generic.mg.5db10902ecc492c7
CAT-QuickHeal Trojan.Multi ALYac Trojan.Downloader.MSIL.Seraph Malwarebytes Trojan.Downloader
VIPRE Trojan.Win32.Generic!BT SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Trojan ( 0056879b1 ) Alibaba TrojanDownloader:Win32/Ymacco.79bc605b K7GW Trojan ( 0056879b1 )
Cybereason Clean Arcabit Trojan.Spider.1 Invincea heuristic
BitDefenderTheta Gen:[email protected] Cyren W32/Trojan.SSRY-9221 Symantec ML.Attribute.HighConfidence
TotalDefense Clean Baidu Clean TrendMicro-HouseCall TROJ_FRS.0NA103FE20
Avast Win32:DropperX-gen [Drp] ClamAV Clean Kaspersky HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender Gen:Variant.Spider.1 NANO-Antivirus Clean Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c Tencent Msil.Trojan-downloader.Agent.Szvl Ad-Aware Gen:Variant.Spider.1
Emsisoft Gen:Variant.Spider.1 (B) Comodo Clean F-Secure Trojan.TR/Dldr.Agent.jhnue
DrWeb Trojan.KillProc2.10930 Zillya Clean TrendMicro TROJ_FRS.0NA103FE20
McAfee-GW-Edition RDN/Generic Downloader.x SentinelOne DFI - Malicious PE Trapmine Clean
CMC Clean Sophos Mal/Generic-S APEX Malicious
F-Prot Clean Jiangmin TrojanDownloader.MSIL.vsu eGambit Unsafe.AI_Score_93%
Avira TR/Dldr.Agent.jhnue MAX malware (ai score=87) Antiy-AVL Trojan[Downloader]/MSIL.Seraph
Kingsoft Clean Endgame malicious (high confidence) Microsoft Trojan:Win32/Ymacco.AA89
ViRobot Clean ZoneAlarm HEUR:Trojan-Downloader.MSIL.Seraph.gen Avast-Mobile Clean
Cynet Malicious (score: 85) AhnLab-V3 Clean Acronis Clean
McAfee RDN/Generic Downloader.x TACHYON Clean VBA32 TScope.Trojan.MSIL
Cylance Unsafe Zoner Clean ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.GJN
Fortinet MSIL/Agent.GJN!tr.dldr Rising Downloader.Agent!8.B23 (CLOUD) Yandex Trojan.DL.Agent!+AAm8zwClC8
Ikarus Trojan-Downloader.MSIL.Agent MaxSecure Trojan.Malware.300983.susgen GData Gen:Variant.Spider.1
Webroot Clean AVG Win32:DropperX-gen [Drp] Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W) Qihoo-360 Generic/Trojan.Downloader.021
Sorry! No behavior.

Hosts

Direct IP Country Name
N 81.177.141.11 [VT] Russian Federation
Y 8.8.8.8 [VT] United States
Y 2.16.186.33 [VT] Europe
Y 195.2.71.110 [VT] Russian Federation
Y 13.107.42.23 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.1.7 49174 13.107.42.23 443
192.168.1.7 49176 13.107.42.23 443
192.168.1.7 55676 13.88.28.53 32421
192.168.1.7 52817 13.88.28.53 13647
192.168.1.7 38082 13.88.28.53 52175
192.168.1.7 49200 195.2.71.110 80
192.168.1.7 49186 81.177.141.11 yfw16.tokyofunkowildvaley.ru 443

UDP

Source Source Port Destination Destination Port
192.168.1.7 137 192.168.1.255 137
192.168.1.7 55169 8.8.8.8 53
192.168.1.7 56221 8.8.8.8 53
192.168.1.7 57251 8.8.8.8 53
192.168.1.7 61313 8.8.8.8 53
192.168.1.7 62371 8.8.8.8 53
192.168.1.7 64247 8.8.8.8 53
192.168.1.7 65119 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
yfw16.tokyofunkowildvaley.ru [VT] A 81.177.141.11 [VT] 81.177.141.11 [VT]

HTTP Requests

URI Data
http://195.2.71.110/IRemotePanel
POST /IRemotePanel HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"
Host: 195.2.71.110
Content-Length: 136
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.7 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49201 13.88.28.53 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.7 49186 81.177.141.11 yfw16.tokyofunkowildvaley.ru 443 1074895078955b2db60423ed2bf8ac23 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion Execution Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1112 - Modify Registry
    • Signature - modifies_certs
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1099 - Timestomp
    • Signature - pe_compile_timestomping
  • T1129 - Execution through Module Load
    • Signature - dropper
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 5.409000000000001 seconds )

    • 3.159 NetworkAnalysis
    • 1.439 BehaviorAnalysis
    • 0.246 VirusTotal
    • 0.164 Static
    • 0.128 static_dotnet
    • 0.101 CAPE
    • 0.073 AnalysisInfo
    • 0.049 Deduplicate
    • 0.014 Debug
    • 0.013 Dropped
    • 0.009 TargetInfo
    • 0.006 peid
    • 0.005 Suricata
    • 0.003 Strings

    Signatures ( 1.938999999999996 seconds )

    • 0.498 antiav_detectreg
    • 0.194 territorial_disputes_sigs
    • 0.177 infostealer_ftp
    • 0.104 antianalysis_detectreg
    • 0.101 infostealer_im
    • 0.055 antivm_vbox_keys
    • 0.037 antivm_vmware_keys
    • 0.033 stealth_timeout
    • 0.031 infostealer_mail
    • 0.031 masquerade_process_name
    • 0.03 api_spamming
    • 0.03 decoy_document
    • 0.028 antivm_parallels_keys
    • 0.027 antivm_xen_keys
    • 0.022 NewtWire Behavior
    • 0.022 antiav_detectfile
    • 0.019 antivm_vpc_keys
    • 0.018 antivm_generic_diskreg
    • 0.017 antivm_generic_scsi
    • 0.016 malicious_dynamic_function_loading
    • 0.016 geodo_banking_trojan
    • 0.014 ransomware_files
    • 0.013 Doppelganging
    • 0.013 antiemu_wine_func
    • 0.013 infostealer_bitcoin
    • 0.012 antivm_generic_disk
    • 0.012 dynamic_function_loading
    • 0.012 antianalysis_detectfile
    • 0.01 antivm_vbox_files
    • 0.009 InjectionCreateRemoteThread
    • 0.009 antivm_xen_keys
    • 0.009 antivm_hyperv_keys
    • 0.009 bypass_firewall
    • 0.009 ransomware_extensions
    • 0.008 infostealer_browser_password
    • 0.008 injection_createremotethread
    • 0.008 blackrat_registry_keys
    • 0.008 recon_programs
    • 0.007 antivm_generic_services
    • 0.007 betabot_behavior
    • 0.007 kibex_behavior
    • 0.007 kovter_behavior
    • 0.007 mimics_filetime
    • 0.007 qulab_files
    • 0.006 bootkit
    • 0.006 exec_crash
    • 0.006 persistence_autorun
    • 0.006 reads_self
    • 0.006 virus
    • 0.006 predatorthethief_files
    • 0.005 InjectionInterProcess
    • 0.005 antidebug_guardpages
    • 0.005 antivm_vbox_libs
    • 0.005 exploit_getbasekerneladdress
    • 0.005 infostealer_browser
    • 0.005 OrcusRAT Behavior
    • 0.005 stealth_file
    • 0.005 ketrican_regkeys
    • 0.005 darkcomet_regkeys
    • 0.004 lsass_credential_dumping
    • 0.004 exploit_heapspray
    • 0.004 hancitor_behavior
    • 0.004 injection_runpe
    • 0.004 antivm_generic_bios
    • 0.004 antivm_generic_system
    • 0.004 limerat_regkeys
    • 0.004 recon_fingerprint
    • 0.003 InjectionProcessHollowing
    • 0.003 antiav_avast_libs
    • 0.003 uac_bypass_eventvwr
    • 0.003 dridex_behavior
    • 0.003 encrypted_ioc
    • 0.003 exploit_gethaldispatchtable
    • 0.003 network_tor
    • 0.003 antidbg_devices
    • 0.003 antivm_vmware_files
    • 0.003 browser_security
    • 0.003 disables_browser_warn
    • 0.003 warzonerat_regkeys
    • 0.003 remcos_regkeys
    • 0.002 EvilGrab
    • 0.002 Unpacker
    • 0.002 antisandbox_sunbelt_libs
    • 0.002 hawkeye_behavior
    • 0.002 injection_explorer
    • 0.002 kazybot_behavior
    • 0.002 shifu_behavior
    • 0.002 stack_pivot
    • 0.002 tinba_behavior
    • 0.002 vawtrak_behavior
    • 0.002 modify_proxy
    • 0.002 network_dns_opennic
    • 0.002 network_torgateway
    • 0.002 medusalocker_regkeys
    • 0.001 InjectionSetWindowLong
    • 0.001 antiav_bitdefender_libs
    • 0.001 antiav_bullgaurd_libs
    • 0.001 antiav_emsisoft_libs
    • 0.001 antiav_qurb_libs
    • 0.001 antiav_apioverride_libs
    • 0.001 antiav_nthookengine_libs
    • 0.001 antisandbox_sboxie_libs
    • 0.001 antivm_vmware_libs
    • 0.001 dyre_behavior
    • 0.001 Raccoon Behavior
    • 0.001 Vidar Behavior
    • 0.001 ransomware_dmalocker
    • 0.001 rat_nanocore
    • 0.001 sets_autoconfig_url
    • 0.001 antivm_vbox_devices
    • 0.001 banker_cridex
    • 0.001 bot_drive
    • 0.001 browser_addon
    • 0.001 codelux_behavior
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 network_cnc_http
    • 0.001 packer_armadillo_regkey
    • 0.001 persistence_shim_database
    • 0.001 nemty_regkeys
    • 0.001 revil_mutexes
    • 0.001 satan_mutexes
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 sniffer_winpcap
    • 0.001 stealth_hiddenreg
    • 0.001 targeted_flame

    Reporting ( 11.445000000000002 seconds )

    • 10.598 BinGraph
    • 0.784 MITRE_TTPS
    • 0.063 PCAP2CERT