Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-22 14:11:39 2020-06-22 14:18:16 397 seconds Show Options Show Log
route = tor
2020-05-13 09:11:25,813 [root] INFO: Date set to: 20200622T08:27:43, timeout set to: 200
2020-06-22 08:27:43,031 [root] DEBUG: Starting analyzer from: C:\tmp52sk_on6
2020-06-22 08:27:43,031 [root] DEBUG: Storing results at: C:\JbXQQGVZD
2020-06-22 08:27:43,031 [root] DEBUG: Pipe server name: \\.\PIPE\cMezuYkS
2020-06-22 08:27:43,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-22 08:27:43,031 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-22 08:27:43,046 [root] INFO: Automatically selected analysis package "exe"
2020-06-22 08:27:43,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-22 08:27:43,078 [root] DEBUG: Imported analysis package "exe".
2020-06-22 08:27:43,078 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-22 08:27:43,078 [root] DEBUG: Initialized analysis package "exe".
2020-06-22 08:27:43,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-22 08:27:43,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-22 08:27:43,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-22 08:27:43,437 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-22 08:27:43,437 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-22 08:27:43,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-22 08:27:43,468 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-22 08:27:43,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-22 08:27:43,484 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-22 08:27:43,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-22 08:27:43,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-22 08:27:43,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-22 08:27:43,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-22 08:27:43,500 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-22 08:27:43,500 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-22 08:27:43,500 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-22 08:27:43,500 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-22 08:27:43,515 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-22 08:27:43,515 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-22 08:27:43,546 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-22 08:27:43,546 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-22 08:27:45,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-22 08:27:45,249 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-22 08:27:45,249 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-22 08:27:45,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-22 08:27:45,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-22 08:27:45,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-22 08:27:45,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-22 08:27:45,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-22 08:27:45,281 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-22 08:27:45,281 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-22 08:27:45,281 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-22 08:27:45,281 [root] DEBUG: Started auxiliary module Browser
2020-06-22 08:27:45,281 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-22 08:27:45,281 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-22 08:27:45,281 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-22 08:27:45,296 [root] DEBUG: Started auxiliary module Curtain
2020-06-22 08:27:45,296 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-22 08:27:45,296 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-22 08:27:45,296 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-22 08:27:45,296 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-22 08:27:45,593 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-22 08:27:45,593 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-22 08:27:45,593 [root] DEBUG: Started auxiliary module DigiSig
2020-06-22 08:27:45,593 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-22 08:27:45,593 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-22 08:27:45,593 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-22 08:27:45,625 [root] DEBUG: Started auxiliary module Disguise
2020-06-22 08:27:45,625 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-22 08:27:45,625 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-22 08:27:45,625 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-22 08:27:45,640 [root] DEBUG: Started auxiliary module Human
2020-06-22 08:27:45,640 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-22 08:27:45,640 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-22 08:27:45,640 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-22 08:27:45,640 [root] DEBUG: Started auxiliary module Procmon
2020-06-22 08:27:45,640 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-22 08:27:45,640 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-22 08:27:45,640 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-22 08:27:45,640 [root] DEBUG: Started auxiliary module Screenshots
2020-06-22 08:27:45,640 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-22 08:27:45,640 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-22 08:27:45,640 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-22 08:27:45,656 [root] DEBUG: Started auxiliary module Sysmon
2020-06-22 08:27:45,656 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-22 08:27:45,656 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-22 08:27:45,656 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-22 08:27:45,656 [root] DEBUG: Started auxiliary module Usage
2020-06-22 08:27:45,656 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-22 08:27:45,656 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-22 08:27:45,656 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-22 08:27:45,656 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-22 08:27:45,796 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe" with arguments "" with pid 5164
2020-06-22 08:27:45,796 [lib.api.process] INFO: Monitor config for process 5164: C:\tmp52sk_on6\dll\5164.ini
2020-06-22 08:27:45,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:27:45,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:27:45,906 [root] DEBUG: Loader: Injecting process 5164 (thread 548) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:27:45,906 [root] DEBUG: Process image base: 0x00830000
2020-06-22 08:27:45,906 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 08:27:45,906 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 08:27:45,906 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:27:45,906 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5164
2020-06-22 08:27:48,140 [lib.api.process] INFO: Successfully resumed process with pid 5164
2020-06-22 08:27:49,375 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:27:49,390 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 08:27:49,390 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5164 at 0x6ae60000, image base 0x830000, stack from 0x175000-0x180000
2020-06-22 08:27:49,390 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe".
2020-06-22 08:27:49,421 [root] INFO: Loaded monitor into process with pid 5164
2020-06-22 08:27:49,437 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-22 08:27:49,437 [root] DEBUG: set_caller_info: Adding region at 0x01540000 to caller regions list (ntdll::RtlDispatchException).
2020-06-22 08:27:49,812 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-22 08:27:49,828 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1540000
2020-06-22 08:27:49,828 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01540000 size 0x400000.
2020-06-22 08:27:49,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x1540000 - 0x1541000.
2020-06-22 08:27:49,843 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1540000-0x1541000.
2020-06-22 08:27:50,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_10397662404947622162020 (size 0x597)
2020-06-22 08:27:50,000 [root] DEBUG: DumpRegion: Dumped stack region from 0x01540000, size 0x1000.
2020-06-22 08:27:50,000 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00080000.
2020-06-22 08:27:50,171 [root] DEBUG: set_caller_info: Adding region at 0x00560000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-22 08:27:50,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_9943296955047622162020 (size 0x100099)
2020-06-22 08:27:50,437 [root] DEBUG: DumpRegion: Dumped stack region from 0x00560000, size 0x101000.
2020-06-22 08:27:50,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x6BE30000 to global list.
2020-06-22 08:27:50,453 [root] DEBUG: DLL loaded at 0x6BE30000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-22 08:27:50,453 [root] DEBUG: DLL unloaded from 0x76970000.
2020-06-22 08:27:50,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00280000 to global list.
2020-06-22 08:27:50,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x00280000 to global list.
2020-06-22 08:27:50,484 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-22 08:27:50,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68290000 for section view with handle 0xcc.
2020-06-22 08:27:50,515 [root] DEBUG: DLL loaded at 0x68290000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-22 08:27:50,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A8E0000 for section view with handle 0xd0.
2020-06-22 08:27:50,531 [root] DEBUG: DLL loaded at 0x6A8E0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2020-06-22 08:27:50,562 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5164, handle 0xdc.
2020-06-22 08:27:50,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x00290000 to global list.
2020-06-22 08:27:50,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 amd local view 0x002A0000 to global list.
2020-06-22 08:27:50,578 [root] INFO: Disabling sleep skipping.
2020-06-22 08:27:50,578 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5164.
2020-06-22 08:27:50,593 [root] DEBUG: DLL loaded at 0x76B60000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-22 08:27:50,593 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 08:27:50,609 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5164.
2020-06-22 08:27:50,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1a0 amd local view 0x66920000 to global list.
2020-06-22 08:27:50,640 [root] DEBUG: DLL loaded at 0x66920000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-22 08:27:50,656 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-22 08:27:50,765 [root] DEBUG: set_caller_info: Adding region at 0x00200000 to caller regions list (kernel32::SetErrorMode).
2020-06-22 08:27:50,765 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x23ffff
2020-06-22 08:27:50,765 [root] DEBUG: DumpMemory: Nothing to dump at 0x00200000!
2020-06-22 08:27:50,765 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00200000 size 0x40000.
2020-06-22 08:27:50,765 [root] DEBUG: DumpPEsInRange: Scanning range 0x200000 - 0x201000.
2020-06-22 08:27:50,781 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x200000-0x201000.
2020-06-22 08:27:50,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_4321782585047622162020 (size 0xffe)
2020-06-22 08:27:50,796 [root] DEBUG: DumpRegion: Dumped stack region from 0x00200000, size 0x1000.
2020-06-22 08:27:50,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b4 amd local view 0x00500000 to global list.
2020-06-22 08:27:50,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 amd local view 0x014B0000 to global list.
2020-06-22 08:27:50,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B5F0000 for section view with handle 0x1b0.
2020-06-22 08:27:50,984 [root] DEBUG: DLL loaded at 0x6B5F0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-22 08:27:51,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 amd local view 0x67AE0000 to global list.
2020-06-22 08:27:51,703 [root] DEBUG: DLL loaded at 0x67AE0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-22 08:27:51,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67950000 for section view with handle 0x1c4.
2020-06-22 08:27:51,718 [root] DEBUG: DLL loaded at 0x67950000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-22 08:27:51,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65D40000 for section view with handle 0x1c4.
2020-06-22 08:27:51,750 [root] DEBUG: DLL loaded at 0x65D40000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-22 08:27:53,093 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-22 08:27:53,125 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x53ffff
2020-06-22 08:27:53,140 [root] DEBUG: DumpMemory: Nothing to dump at 0x00530000!
2020-06-22 08:27:53,140 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00530000 size 0x10000.
2020-06-22 08:27:53,140 [root] DEBUG: DumpPEsInRange: Scanning range 0x530000 - 0x531000.
2020-06-22 08:27:53,140 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x530000-0x531000.
2020-06-22 08:27:53,218 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_7731621405347622162020 (size 0xb3)
2020-06-22 08:27:53,218 [root] DEBUG: DumpRegion: Dumped stack region from 0x00530000, size 0x1000.
2020-06-22 08:27:53,234 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\uxtheme (0x40000 bytes).
2020-06-22 08:27:53,265 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-22 08:27:53,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d8 amd local view 0x740F0000 to global list.
2020-06-22 08:27:53,796 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-22 08:27:53,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e8 amd local view 0x00690000 to global list.
2020-06-22 08:27:53,828 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
2020-06-22 08:27:53,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e4 amd local view 0x00690000 to global list.
2020-06-22 08:27:53,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 amd local view 0x006A0000 to global list.
2020-06-22 08:27:53,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:53,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x1f4.
2020-06-22 08:27:53,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:53,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:54,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x1f4.
2020-06-22 08:27:54,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:55,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:55,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:55,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:55,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:55,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07850000 for section view with handle 0x1f4.
2020-06-22 08:27:55,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:55,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07850000 for section view with handle 0x1f4.
2020-06-22 08:27:55,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:56,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07850000 for section view with handle 0x1f4.
2020-06-22 08:27:56,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:56,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:56,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:56,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:56,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x1f4.
2020-06-22 08:27:56,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:57,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:57,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:57,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:27:57,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:57,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:27:57,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:57,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:57,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:57,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:59,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:27:59,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:27:59,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:27:59,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:00,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:00,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:00,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:01,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02B00000 for section view with handle 0x1f4.
2020-06-22 08:28:02,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:02,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:03,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:04,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:05,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03260000 for section view with handle 0x1f4.
2020-06-22 08:28:06,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:06,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08820000 for section view with handle 0x1f4.
2020-06-22 08:28:06,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08820000 for section view with handle 0x1f4.
2020-06-22 08:28:07,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08820000 for section view with handle 0x1f4.
2020-06-22 08:28:07,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x1f4.
2020-06-22 08:28:07,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:08,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:08,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:08,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006A0000 for section view with handle 0x1f4.
2020-06-22 08:28:08,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x1f4.
2020-06-22 08:28:08,328 [root] DEBUG: set_caller_info: Adding region at 0x00690000 to caller regions list (ntdll::memcpy).
2020-06-22 08:28:08,375 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x69ffff
2020-06-22 08:28:08,375 [root] DEBUG: DumpMemory: Nothing to dump at 0x00690000!
2020-06-22 08:28:08,375 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00690000 size 0x10000.
2020-06-22 08:28:08,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x690000 - 0x691000.
2020-06-22 08:28:08,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x690000-0x691000.
2020-06-22 08:28:08,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_1129920317848622162020 (size 0xdb)
2020-06-22 08:28:08,406 [root] DEBUG: DumpRegion: Dumped stack region from 0x00690000, size 0x1000.
2020-06-22 08:28:08,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05BE0000 for section view with handle 0x1f4.
2020-06-22 08:28:08,453 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-22 08:28:08,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x007D0000 to global list.
2020-06-22 08:28:08,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x007E0000 to global list.
2020-06-22 08:28:08,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 amd local view 0x73600000 to global list.
2020-06-22 08:28:08,671 [root] DEBUG: DLL loaded at 0x73600000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-22 08:28:08,687 [root] DEBUG: DLL unloaded from 0x73600000.
2020-06-22 08:28:08,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x014B0000 for section view with handle 0x210.
2020-06-22 08:28:08,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x68C10000 to global list.
2020-06-22 08:28:08,843 [root] DEBUG: DLL loaded at 0x68C10000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-22 08:28:08,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x01510000 for section view with handle 0x210.
2020-06-22 08:28:19,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02BE0000 for section view with handle 0x210.
2020-06-22 08:28:19,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02BF0000 for section view with handle 0x210.
2020-06-22 08:28:19,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02C00000 for section view with handle 0x210.
2020-06-22 08:28:19,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05B40000 for section view with handle 0x20c.
2020-06-22 08:28:20,109 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,109 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,156 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,156 [root] DEBUG: Loader: Injecting process 4536 (thread 4592) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,156 [root] DEBUG: Process image base: 0x00830000
2020-06-22 08:28:20,156 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 08:28:20,156 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 08:28:20,156 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,171 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4536
2020-06-22 08:28:20,171 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-22 08:28:20,218 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4536, ImageBase: 0x00830000
2020-06-22 08:28:20,218 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,218 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,218 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,234 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,249 [root] DEBUG: Loader: Injecting process 4536 (thread 4592) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,249 [root] DEBUG: Process image base: 0x00830000
2020-06-22 08:28:20,249 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 08:28:20,249 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 08:28:20,249 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,265 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4536
2020-06-22 08:28:20,265 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4536 (ImageBase 0x400000)
2020-06-22 08:28:20,265 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 08:28:20,265 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04883E88.
2020-06-22 08:28:20,312 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x4b800.
2020-06-22 08:28:20,312 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4883e88, SizeOfImage 0x52000.
2020-06-22 08:28:20,328 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,328 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,343 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,343 [root] DEBUG: Loader: Injecting process 4536 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,343 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFDA000: The operation completed successfully.
2020-06-22 08:28:20,343 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 08:28:20,359 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 08:28:20,359 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,359 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4536, error: 4294967281
2020-06-22 08:28:20,359 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-22 08:28:20,375 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,375 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,390 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,390 [root] DEBUG: Loader: Injecting process 4536 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,390 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFDA000: The operation completed successfully.
2020-06-22 08:28:20,390 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 08:28:20,406 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 08:28:20,406 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,406 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4536, error: 4294967281
2020-06-22 08:28:20,406 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03850BF0 (size 0x400) injected into process 4536.
2020-06-22 08:28:20,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_4634527424348622162020 (size 0x2e8)
2020-06-22 08:28:20,437 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 08:28:20,437 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,437 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,515 [root] DEBUG: Loader: Injecting process 4536 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,515 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFDC000: The operation completed successfully.
2020-06-22 08:28:20,515 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 08:28:20,531 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 08:28:20,531 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,546 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4536, error: 4294967281
2020-06-22 08:28:20,546 [root] DEBUG: WriteMemoryHandler: shellcode at 0x03850FFC (size 0x200) injected into process 4536.
2020-06-22 08:28:20,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\5164_4986803884348622162020 (size 0x9)
2020-06-22 08:28:20,625 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 08:28:20,625 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,640 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,656 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,656 [root] DEBUG: Loader: Injecting process 4536 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,656 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFDE000: The operation completed successfully.
2020-06-22 08:28:20,656 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 08:28:20,656 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 08:28:20,671 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,671 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4536, error: 4294967281
2020-06-22 08:28:20,671 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,671 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,687 [root] DEBUG: Loader: Injecting process 4536 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,687 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFDB000: The operation completed successfully.
2020-06-22 08:28:20,687 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 08:28:20,703 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 08:28:20,703 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,703 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4536, error: 4294967281
2020-06-22 08:28:20,703 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0004CE4E (process 4536).
2020-06-22 08:28:20,718 [root] INFO: Announced 32-bit process name: Order No. BCM190282..exe pid: 4536
2020-06-22 08:28:20,718 [lib.api.process] INFO: Monitor config for process 4536: C:\tmp52sk_on6\dll\4536.ini
2020-06-22 08:28:20,718 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:20,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:20,734 [root] DEBUG: Loader: Injecting process 4536 (thread 4592) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,750 [root] DEBUG: Process image base: 0x00400000
2020-06-22 08:28:20,750 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 08:28:20,750 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 08:28:20,750 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:20,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4536
2020-06-22 08:28:20,765 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:28:20,781 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5164.
2020-06-22 08:28:20,796 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:28:20,796 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 08:28:20,796 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 08:28:20,812 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 08:28:20,812 [root] INFO: Disabling sleep skipping.
2020-06-22 08:28:20,812 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-22 08:28:20,812 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4536 at 0x6ae60000, image base 0x400000, stack from 0x1f6000-0x200000
2020-06-22 08:28:20,828 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"{path}".
2020-06-22 08:28:20,828 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5164
2020-06-22 08:28:20,828 [root] DEBUG: GetHookCallerBase: thread 548 (handle 0x0), return address 0x00533983, allocation base 0x00530000.
2020-06-22 08:28:20,828 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00830000.
2020-06-22 08:28:20,828 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00832000
2020-06-22 08:28:20,828 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 08:28:20,828 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00830000.
2020-06-22 08:28:20,843 [root] INFO: Loaded monitor into process with pid 4536
2020-06-22 08:28:20,843 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x008A2800 to 0x008A2A00).
2020-06-22 08:28:20,843 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 08:28:20,843 [root] DEBUG: set_caller_info: Adding region at 0x017A0000 to caller regions list (kernel32::GetSystemTime).
2020-06-22 08:28:20,875 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-22 08:28:20,875 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 08:28:20,875 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00830000, dumping memory region.
2020-06-22 08:28:20,875 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x17a0000
2020-06-22 08:28:20,890 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x017A0000 size 0x400000.
2020-06-22 08:28:20,890 [root] DEBUG: DumpPEsInRange: Scanning range 0x17a0000 - 0x17a1000.
2020-06-22 08:28:20,890 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x17a0000-0x17a1000.
2020-06-22 08:28:20,906 [root] DEBUG: DLL unloaded from 0x75C80000.
2020-06-22 08:28:20,906 [root] DEBUG: DLL unloaded from 0x68290000.
2020-06-22 08:28:20,906 [root] DEBUG: DLL unloaded from 0x6BE30000.
2020-06-22 08:28:20,921 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5164
2020-06-22 08:28:20,921 [root] DEBUG: GetHookCallerBase: thread 548 (handle 0x0), return address 0x00533983, allocation base 0x00530000.
2020-06-22 08:28:20,937 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00830000.
2020-06-22 08:28:20,953 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00832000
2020-06-22 08:28:20,953 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 08:28:20,968 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_840045642048622162020 (size 0x597)
2020-06-22 08:28:20,968 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00830000.
2020-06-22 08:28:20,984 [root] DEBUG: DumpRegion: Dumped stack region from 0x017A0000, size 0x1000.
2020-06-22 08:28:20,984 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x008A2800 to 0x008A2A00).
2020-06-22 08:28:21,046 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 08:28:21,046 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00830000, dumping memory region.
2020-06-22 08:28:21,062 [root] INFO: Process with pid 5164 has terminated
2020-06-22 08:28:21,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_16926688002048622162020 (size 0x129)
2020-06-22 08:28:21,093 [root] DEBUG: DumpRegion: Dumped stack region from 0x00070000, size 0x1000.
2020-06-22 08:28:21,093 [root] DEBUG: DLL loaded at 0x00750000: C:\tmp52sk_on6\dll\pxDqBI (0xd5000 bytes).
2020-06-22 08:28:21,125 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-22 08:28:21,125 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-22 08:28:21,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67CD0000 for section view with handle 0xd0.
2020-06-22 08:28:21,234 [root] DEBUG: DLL loaded at 0x67CD0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-22 08:28:21,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A170000 for section view with handle 0xd4.
2020-06-22 08:28:21,249 [root] DEBUG: DLL loaded at 0x6A170000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2020-06-22 08:28:21,296 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4536, handle 0xe0.
2020-06-22 08:28:21,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x00230000 to global list.
2020-06-22 08:28:21,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 amd local view 0x00240000 to global list.
2020-06-22 08:28:21,312 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:28:21,343 [root] DEBUG: DLL loaded at 0x76B60000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-22 08:28:21,390 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 08:28:21,390 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:28:21,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1a4 amd local view 0x65E20000 to global list.
2020-06-22 08:28:21,421 [root] DEBUG: DLL loaded at 0x65E20000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-22 08:28:21,468 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-22 08:28:21,468 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-22 08:28:21,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1ac amd local view 0x00750000 to global list.
2020-06-22 08:28:21,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A920000 for section view with handle 0x1ac.
2020-06-22 08:28:21,500 [root] DEBUG: DLL loaded at 0x6A920000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-22 08:28:21,578 [root] DEBUG: set_caller_info: Adding region at 0x01710000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-22 08:28:21,593 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x171ffff
2020-06-22 08:28:21,593 [root] DEBUG: DumpMemory: Nothing to dump at 0x01710000!
2020-06-22 08:28:21,593 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01710000 size 0x10000.
2020-06-22 08:28:21,609 [root] DEBUG: DumpPEsInRange: Scanning range 0x1710000 - 0x171f000.
2020-06-22 08:28:21,687 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1710000-0x171f000.
2020-06-22 08:28:21,781 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_18037866712148622162020 (size 0xe491)
2020-06-22 08:28:21,796 [root] DEBUG: DumpRegion: Dumped stack region from 0x01710000, size 0xf000.
2020-06-22 08:28:21,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c8 amd local view 0x66C70000 to global list.
2020-06-22 08:28:21,921 [root] DEBUG: DLL loaded at 0x66C70000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-22 08:28:21,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68C20000 for section view with handle 0x1c8.
2020-06-22 08:28:21,937 [root] DEBUG: DLL loaded at 0x68C20000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-22 08:28:22,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65240000 for section view with handle 0x1c8.
2020-06-22 08:28:22,000 [root] DEBUG: DLL loaded at 0x65240000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-22 08:28:22,031 [root] DEBUG: set_caller_info: Adding region at 0x00360000 to caller regions list (ntdll::memcpy).
2020-06-22 08:28:22,031 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00360000.
2020-06-22 08:28:22,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005F0000 for section view with handle 0x1c8.
2020-06-22 08:28:22,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d0 amd local view 0x00750000 to global list.
2020-06-22 08:28:22,078 [root] DEBUG: DLL loaded at 0x75310000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-22 08:28:22,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e4 amd local view 0x686B0000 to global list.
2020-06-22 08:28:22,156 [root] DEBUG: DLL loaded at 0x686B0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-22 08:28:22,171 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 08:28:22,203 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 08:28:22,234 [root] DEBUG: set_caller_info: Adding region at 0x00600000 to caller regions list (kernel32::SetErrorMode).
2020-06-22 08:28:22,249 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x60ffff
2020-06-22 08:28:22,249 [root] DEBUG: DumpMemory: Nothing to dump at 0x00600000!
2020-06-22 08:28:22,265 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00600000 size 0x10000.
2020-06-22 08:28:22,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x600000 - 0x601000.
2020-06-22 08:28:22,281 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x600000-0x601000.
2020-06-22 08:28:22,343 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_9482560052248622162020 (size 0x2ce)
2020-06-22 08:28:22,359 [root] DEBUG: DumpRegion: Dumped stack region from 0x00600000, size 0x1000.
2020-06-22 08:28:22,375 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-22 08:28:22,390 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-22 08:28:22,390 [root] DEBUG: DLL loaded at 0x75CB0000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-22 08:28:22,437 [root] DEBUG: DLL loaded at 0x6B610000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-22 08:28:22,437 [root] DEBUG: DLL loaded at 0x6A110000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-22 08:28:22,453 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-22 08:28:22,453 [root] DEBUG: DLL loaded at 0x779C0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-22 08:28:22,453 [root] INFO: Stopping WMI Service
2020-06-22 08:28:30,093 [root] INFO: Stopped WMI Service
2020-06-22 08:28:30,390 [lib.api.process] INFO: Monitor config for process 584: C:\tmp52sk_on6\dll\584.ini
2020-06-22 08:28:30,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:30,468 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:30,484 [root] DEBUG: Loader: Injecting process 584 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:30,484 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFDB000: The operation completed successfully.
2020-06-22 08:28:30,484 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 624, handle 0xa4
2020-06-22 08:28:30,500 [root] DEBUG: Process image base: 0x00280000
2020-06-22 08:28:30,515 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-22 08:28:30,531 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-22 08:28:30,578 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:28:30,578 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 08:28:30,593 [root] INFO: Disabling sleep skipping.
2020-06-22 08:28:30,609 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 584 at 0x6ae60000, image base 0x280000, stack from 0x306000-0x310000
2020-06-22 08:28:30,625 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-06-22 08:28:30,640 [root] INFO: Loaded monitor into process with pid 584
2020-06-22 08:28:30,656 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 08:28:30,656 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 08:28:30,656 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:32,671 [root] INFO: Starting WMI Service
2020-06-22 08:28:34,875 [root] INFO: Started WMI Service
2020-06-22 08:28:34,890 [lib.api.process] INFO: Monitor config for process 1920: C:\tmp52sk_on6\dll\1920.ini
2020-06-22 08:28:34,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:28:34,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:28:34,921 [root] DEBUG: Loader: Injecting process 1920 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:34,937 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD7000 Local PEB 0x7FFDF000 Local TEB 0x7FFD3000: The operation completed successfully.
2020-06-22 08:28:34,937 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 08:28:34,937 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-22 08:28:34,953 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:28:34,968 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 08:28:35,000 [root] INFO: Disabling sleep skipping.
2020-06-22 08:28:35,000 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1920 at 0x6ae60000, image base 0x280000, stack from 0x6c6000-0x6d0000
2020-06-22 08:28:35,015 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-22 08:28:35,046 [root] INFO: Loaded monitor into process with pid 1920
2020-06-22 08:28:35,062 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 08:28:35,078 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 08:28:35,078 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:28:37,078 [root] DEBUG: DLL loaded at 0x6EDB0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-22 08:28:37,093 [root] DEBUG: DLL loaded at 0x6F170000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-22 08:28:37,109 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-22 08:28:37,140 [root] DEBUG: DLL loaded at 0x6F1E0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-06-22 08:28:37,140 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\ATL (0x14000 bytes).
2020-06-22 08:28:37,156 [root] DEBUG: DLL loaded at 0x6F160000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-06-22 08:28:37,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x00290000 to global list.
2020-06-22 08:28:37,171 [root] DEBUG: DLL loaded at 0x736D0000: C:\Windows\system32\samcli (0xf000 bytes).
2020-06-22 08:28:37,171 [root] DEBUG: DLL loaded at 0x742D0000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-06-22 08:28:37,203 [root] DEBUG: DLL loaded at 0x73F20000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-22 08:28:37,218 [root] DEBUG: DLL loaded at 0x73CE0000: C:\Windows\system32\es (0x47000 bytes).
2020-06-22 08:28:37,249 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-22 08:28:37,281 [root] DEBUG: DLL loaded at 0x6E6A0000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-06-22 08:28:37,281 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-22 08:28:37,296 [root] DEBUG: DLL loaded at 0x6E640000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2020-06-22 08:28:37,312 [root] DEBUG: DLL loaded at 0x6EC50000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2020-06-22 08:28:37,312 [root] DEBUG: DLL loaded at 0x6EBF0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-22 08:28:37,328 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-22 08:28:37,328 [root] DEBUG: DLL loaded at 0x6E600000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-22 08:28:37,343 [root] DEBUG: DLL loaded at 0x6E600000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-22 08:28:37,359 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-06-22 08:28:37,359 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-22 08:28:37,390 [root] DEBUG: DLL loaded at 0x6E0B0000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-06-22 08:28:37,406 [root] DEBUG: DLL loaded at 0x753C0000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-06-22 08:28:37,437 [root] DEBUG: DLL unloaded from 0x753C0000.
2020-06-22 08:28:37,937 [root] DEBUG: DLL loaded at 0x6D7F0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-06-22 08:28:37,953 [root] DEBUG: DLL loaded at 0x6D790000: C:\Windows\system32\NCObjAPI (0xf000 bytes).
2020-06-22 08:28:37,968 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 584, handle 0x2c8.
2020-06-22 08:28:37,984 [root] DEBUG: DLL loaded at 0x6ED50000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-06-22 08:28:38,312 [root] DEBUG: DLL loaded at 0x6EC50000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-06-22 08:28:38,328 [root] DEBUG: DLL loaded at 0x6EBF0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-22 08:28:38,343 [root] DEBUG: DLL loaded at 0x75700000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-22 08:28:38,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2b8 amd local view 0x007D0000 to global list.
2020-06-22 08:28:38,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2a8 amd local view 0x05C10000 to global list.
2020-06-22 08:28:38,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c4 amd local view 0x73560000 to global list.
2020-06-22 08:28:38,593 [root] DEBUG: DLL loaded at 0x73560000: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x15000 bytes).
2020-06-22 08:28:38,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c8 amd local view 0x00920000 to global list.
2020-06-22 08:28:38,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00920000 for section view with handle 0x2c4.
2020-06-22 08:28:38,656 [root] DEBUG: DLL loaded at 0x71100000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-06-22 08:28:38,937 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-22 08:28:39,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68450000 for section view with handle 0x2c4.
2020-06-22 08:28:39,109 [root] DEBUG: DLL loaded at 0x68450000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni (0x106000 bytes).
2020-06-22 08:28:39,125 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:28:39,156 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:28:39,156 [root] DEBUG: set_caller_info: Adding region at 0x00920000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 08:28:39,156 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x92ffff
2020-06-22 08:28:39,171 [root] DEBUG: DumpMemory: Nothing to dump at 0x00920000!
2020-06-22 08:28:39,171 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00920000 size 0x10000.
2020-06-22 08:28:39,171 [root] DEBUG: DumpPEsInRange: Scanning range 0x920000 - 0x921000.
2020-06-22 08:28:39,187 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x920000-0x921000.
2020-06-22 08:28:39,249 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_1254566993950622162020 (size 0xe5)
2020-06-22 08:28:39,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x31c amd local view 0x6F310000 to global list.
2020-06-22 08:28:39,281 [root] DEBUG: DLL loaded at 0x6F310000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils (0x1e000 bytes).
2020-06-22 08:28:39,312 [root] DEBUG: set_caller_info: Adding region at 0x00940000 to caller regions list (ole32::CoCreateInstance).
2020-06-22 08:28:39,312 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x94ffff
2020-06-22 08:28:39,328 [root] DEBUG: DumpMemory: Nothing to dump at 0x00940000!
2020-06-22 08:28:39,328 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00940000 size 0x10000.
2020-06-22 08:28:39,328 [root] DEBUG: DumpPEsInRange: Scanning range 0x940000 - 0x944000.
2020-06-22 08:28:39,343 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x940000-0x944000.
2020-06-22 08:28:39,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_17296938673950622162020 (size 0x3a88)
2020-06-22 08:28:39,406 [root] DEBUG: DumpRegion: Dumped stack region from 0x00940000, size 0x4000.
2020-06-22 08:28:41,234 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:28:47,437 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:29:01,468 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:29:01,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3e8 amd local view 0x007C0000 to global list.
2020-06-22 08:29:01,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3e4 amd local view 0x00960000 to global list.
2020-06-22 08:29:01,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x3e4.
2020-06-22 08:29:01,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00960000 for section view with handle 0x3e8.
2020-06-22 08:29:03,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x64D00000 for section view with handle 0x3e4.
2020-06-22 08:29:03,515 [root] DEBUG: DLL loaded at 0x64D00000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni (0x53b000 bytes).
2020-06-22 08:29:11,484 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:29:14,859 [root] DEBUG: DLL loaded at 0x6F300000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-22 08:29:15,562 [root] DEBUG: DLL loaded at 0x6D5C0000: C:\Windows\system32\wshom.ocx (0x21000 bytes).
2020-06-22 08:29:15,593 [root] DEBUG: DLL loaded at 0x71E60000: C:\Windows\system32\MPR (0x12000 bytes).
2020-06-22 08:29:15,671 [root] DEBUG: DLL loaded at 0x6D590000: C:\Windows\system32\ScrRun (0x2a000 bytes).
2020-06-22 08:29:15,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3fc amd local view 0x007C0000 to global list.
2020-06-22 08:29:15,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3ec amd local view 0x00960000 to global list.
2020-06-22 08:29:16,156 [root] DEBUG: set_caller_info: Adding region at 0x02BF0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-22 08:29:16,171 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x2bfffff
2020-06-22 08:29:16,234 [root] DEBUG: DumpMemory: Nothing to dump at 0x02BF0000!
2020-06-22 08:29:16,249 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02BF0000 size 0x10000.
2020-06-22 08:29:16,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x2bf0000 - 0x2bf7000.
2020-06-22 08:29:16,281 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2bf0000-0x2bf7000.
2020-06-22 08:29:16,328 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JbXQQGVZD\CAPE\4536_2050190599167722162020 (size 0x685b)
2020-06-22 08:29:16,328 [root] DEBUG: DumpRegion: Dumped stack region from 0x02BF0000, size 0x7000.
2020-06-22 08:29:16,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f0 amd local view 0x016C0000 to global list.
2020-06-22 08:29:16,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x400 amd local view 0x6BBF0000 to global list.
2020-06-22 08:29:16,453 [root] DEBUG: DLL loaded at 0x6BBF0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\51fb28e8a54a8d8f6021415d47477ab4\System.Security.ni (0xb3000 bytes).
2020-06-22 08:29:16,500 [root] DEBUG: DLL loaded at 0x758D0000: C:\Windows\system32\crypt32 (0x122000 bytes).
2020-06-22 08:29:16,531 [root] DEBUG: DLL loaded at 0x75810000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-06-22 08:29:16,921 [root] DEBUG: set_caller_info: Adding region at 0x01720000 to caller regions list (ntdll::memcpy).
2020-06-22 08:29:16,921 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x172ffff
2020-06-22 08:29:16,921 [root] DEBUG: DumpMemory: Nothing to dump at 0x01720000!
2020-06-22 08:29:16,953 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01720000 size 0x10000.
2020-06-22 08:29:16,968 [root] DEBUG: DumpPEsInRange: Scanning range 0x1720000 - 0x1722000.
2020-06-22 08:29:17,062 [root] INFO: Announced 32-bit process name: netsh.exe pid: 3608
2020-06-22 08:29:17,062 [lib.api.process] INFO: Monitor config for process 3608: C:\tmp52sk_on6\dll\3608.ini
2020-06-22 08:29:17,093 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:29:17,109 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:29:17,109 [root] DEBUG: Loader: Injecting process 3608 (thread 5008) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:17,109 [root] DEBUG: Process image base: 0x012D0000
2020-06-22 08:29:17,125 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:17,125 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 08:29:17,125 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:17,140 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3608
2020-06-22 08:29:17,140 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-22 08:29:17,140 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "netsh" wlan show profile.
2020-06-22 08:29:17,156 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3608, ImageBase: 0x012D0000
2020-06-22 08:29:17,156 [root] INFO: Announced 32-bit process name: netsh.exe pid: 3608
2020-06-22 08:29:17,156 [lib.api.process] INFO: Monitor config for process 3608: C:\tmp52sk_on6\dll\3608.ini
2020-06-22 08:29:17,156 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:29:17,203 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:29:17,203 [root] DEBUG: Loader: Injecting process 3608 (thread 5008) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:17,203 [root] DEBUG: Process image base: 0x012D0000
2020-06-22 08:29:17,218 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:17,218 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-22 08:29:17,218 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:17,281 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3608
2020-06-22 08:29:17,343 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:29:17,343 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 08:29:17,359 [root] INFO: Disabling sleep skipping.
2020-06-22 08:29:17,375 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 08:29:17,375 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3608 at 0x6ae60000, image base 0x12d0000, stack from 0xb0000-0x130000
2020-06-22 08:29:17,375 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"netsh" wlan show profile.
2020-06-22 08:29:17,406 [root] INFO: Loaded monitor into process with pid 3608
2020-06-22 08:29:17,421 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-22 08:29:17,437 [root] DEBUG: DLL loaded at 0x6B5E0000: C:\Windows\system32\RASMONTR (0x2e000 bytes).
2020-06-22 08:29:17,437 [root] DEBUG: DLL loaded at 0x6DF60000: C:\Windows\system32\MPRAPI (0x29000 bytes).
2020-06-22 08:29:17,437 [root] DEBUG: DLL loaded at 0x6CB50000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2020-06-22 08:29:17,437 [root] DEBUG: DLL loaded at 0x72140000: C:\Windows\system32\rasman (0x15000 bytes).
2020-06-22 08:29:17,453 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-22 08:29:17,468 [root] DEBUG: DLL loaded at 0x779C0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-22 08:29:17,484 [root] DEBUG: DLL loaded at 0x73A90000: C:\Windows\system32\fwpuclnt (0x38000 bytes).
2020-06-22 08:29:17,500 [root] DEBUG: DLL loaded at 0x68330000: C:\Windows\system32\MFC42u (0x11f000 bytes).
2020-06-22 08:29:17,515 [root] DEBUG: DLL loaded at 0x682A0000: C:\Windows\system32\ODBC32 (0x8c000 bytes).
2020-06-22 08:29:17,515 [root] DEBUG: DLL loaded at 0x6A8E0000: C:\Windows\system32\odbcint (0x38000 bytes).
2020-06-22 08:29:17,515 [root] DEBUG: DLL loaded at 0x73C60000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-22 08:29:17,531 [root] DEBUG: DLL loaded at 0x73B10000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-22 08:29:17,546 [root] DEBUG: DLL loaded at 0x67C20000: C:\Windows\system32\NSHWFP (0xa4000 bytes).
2020-06-22 08:29:17,546 [root] DEBUG: DLL loaded at 0x758D0000: C:\Windows\system32\CRYPT32 (0x122000 bytes).
2020-06-22 08:29:17,546 [root] DEBUG: DLL loaded at 0x75810000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-06-22 08:29:17,562 [root] DEBUG: DLL loaded at 0x73CC0000: C:\Windows\system32\slc (0xa000 bytes).
2020-06-22 08:29:17,562 [root] DEBUG: DLL loaded at 0x6ED40000: C:\Windows\system32\DHCPCMONITOR (0x6000 bytes).
2020-06-22 08:29:17,578 [root] DEBUG: DLL loaded at 0x73970000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-22 08:29:17,578 [root] DEBUG: DLL loaded at 0x739F0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-22 08:29:17,578 [root] DEBUG: DLL loaded at 0x6E440000: C:\Windows\system32\DhcpQEC (0x17000 bytes).
2020-06-22 08:29:17,578 [root] DEBUG: DLL loaded at 0x72AF0000: C:\Windows\system32\QUtil (0x17000 bytes).
2020-06-22 08:29:17,578 [root] DEBUG: DLL loaded at 0x753C0000: C:\Windows\system32\wevtapi (0x42000 bytes).
2020-06-22 08:29:17,593 [root] DEBUG: DLL loaded at 0x6ED30000: C:\Windows\system32\WSHELPER (0x7000 bytes).
2020-06-22 08:29:17,609 [root] DEBUG: DLL loaded at 0x6D9D0000: C:\Windows\system32\WS2HELP (0x3000 bytes).
2020-06-22 08:29:17,609 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\MSWSOCK (0x3c000 bytes).
2020-06-22 08:29:17,640 [root] DEBUG: DLL loaded at 0x6B4D0000: C:\Windows\system32\NSHHTTP (0xa000 bytes).
2020-06-22 08:29:17,687 [root] DEBUG: DLL loaded at 0x70B50000: C:\Windows\system32\HTTPAPI (0xb000 bytes).
2020-06-22 08:29:17,703 [root] DEBUG: DLL loaded at 0x6B430000: C:\Windows\system32\FWCFG (0x11000 bytes).
2020-06-22 08:29:17,750 [root] DEBUG: DLL loaded at 0x74C80000: C:\Windows\system32\FirewallAPI (0x76000 bytes).
2020-06-22 08:29:17,796 [root] DEBUG: DLL loaded at 0x6AE40000: C:\Windows\system32\WINIPSEC (0x14000 bytes).
2020-06-22 08:29:17,828 [root] DEBUG: DLL loaded at 0x6AE30000: C:\Windows\system32\IFMON (0x9000 bytes).
2020-06-22 08:29:17,843 [root] DEBUG: DLL loaded at 0x76530000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-06-22 08:29:17,937 [root] DEBUG: DLL loaded at 0x75840000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-06-22 08:29:18,000 [root] DEBUG: DLL loaded at 0x75040000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-22 08:29:18,015 [root] DEBUG: DLL loaded at 0x6A860000: C:\Windows\system32\WHHELPER (0x7000 bytes).
2020-06-22 08:29:18,062 [root] DEBUG: DLL loaded at 0x6F380000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-06-22 08:29:18,093 [root] DEBUG: DLL loaded at 0x6F330000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-22 08:29:18,125 [root] DEBUG: DLL loaded at 0x72D20000: C:\Windows\system32\netshell (0x265000 bytes).
2020-06-22 08:29:18,140 [root] DEBUG: DLL loaded at 0x6A7E0000: C:\Windows\system32\RPCNSH (0xb000 bytes).
2020-06-22 08:29:18,156 [root] DEBUG: DLL loaded at 0x6A3F0000: C:\Windows\system32\DOT3CFG (0x17000 bytes).
2020-06-22 08:29:18,187 [root] DEBUG: DLL loaded at 0x6A320000: C:\Windows\system32\dot3api (0x1a000 bytes).
2020-06-22 08:29:18,218 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\ATL (0x14000 bytes).
2020-06-22 08:29:18,234 [root] DEBUG: DLL loaded at 0x6B650000: C:\Windows\system32\eappcfg (0x2f000 bytes).
2020-06-22 08:29:18,249 [root] DEBUG: DLL loaded at 0x6B680000: C:\Windows\system32\OneX (0x34000 bytes).
2020-06-22 08:29:18,249 [root] DEBUG: DLL loaded at 0x6BCC0000: C:\Windows\system32\eappprxy (0x11000 bytes).
2020-06-22 08:29:18,265 [root] DEBUG: DLL loaded at 0x68AC0000: C:\Windows\system32\NAPMONTR (0x29000 bytes).
2020-06-22 08:29:18,296 [root] DEBUG: DLL loaded at 0x67BC0000: C:\Windows\system32\certcli (0x56000 bytes).
2020-06-22 08:29:18,296 [root] DEBUG: DLL loaded at 0x75B60000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-06-22 08:29:18,312 [root] DEBUG: DLL loaded at 0x67B60000: C:\Windows\system32\NSHIPSEC (0x59000 bytes).
2020-06-22 08:29:18,328 [root] DEBUG: DLL loaded at 0x736D0000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-06-22 08:29:18,328 [root] DEBUG: DLL loaded at 0x73F10000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-06-22 08:29:18,375 [root] DEBUG: DLL loaded at 0x742F0000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-06-22 08:29:18,437 [root] DEBUG: DLL loaded at 0x73F20000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-22 08:29:18,453 [root] DEBUG: DLL loaded at 0x753A0000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-06-22 08:29:18,453 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2020-06-22 08:29:18,468 [root] DEBUG: DLL loaded at 0x74DD0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-22 08:29:18,484 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 08:29:18,484 [root] DEBUG: DLL loaded at 0x67B20000: C:\Windows\system32\ACTIVEDS (0x35000 bytes).
2020-06-22 08:29:18,484 [root] DEBUG: DLL loaded at 0x67AE0000: C:\Windows\system32\adsldpc (0x34000 bytes).
2020-06-22 08:29:18,500 [root] DEBUG: DLL loaded at 0x67A90000: C:\Windows\system32\POLSTORE (0x46000 bytes).
2020-06-22 08:29:18,515 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 3608).
2020-06-22 08:29:18,515 [root] DEBUG: DLL loaded at 0x67A00000: C:\Windows\system32\NETTRACE (0x8a000 bytes).
2020-06-22 08:29:18,531 [root] DEBUG: DLL loaded at 0x679C0000: C:\Windows\system32\NDFAPI (0x34000 bytes).
2020-06-22 08:29:18,546 [root] DEBUG: DLL loaded at 0x6E5E0000: C:\Windows\system32\wdi (0x15000 bytes).
2020-06-22 08:29:18,546 [root] DEBUG: DLL loaded at 0x75480000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-22 08:29:18,562 [root] DEBUG: DLL loaded at 0x67920000: C:\Windows\system32\tdh (0x9b000 bytes).
2020-06-22 08:29:18,578 [root] DEBUG: DLL loaded at 0x68BB0000: C:\Windows\system32\WCNNETSH (0xa000 bytes).
2020-06-22 08:29:18,578 [root] DEBUG: DLL loaded at 0x730E0000: C:\Windows\system32\Wlanapi (0x16000 bytes).
2020-06-22 08:29:18,578 [root] DEBUG: DLL loaded at 0x73110000: C:\Windows\system32\wlanutil (0x6000 bytes).
2020-06-22 08:29:18,593 [root] DEBUG: DLL loaded at 0x678F0000: C:\Windows\system32\P2PNETSH (0x25000 bytes).
2020-06-22 08:29:18,593 [root] DEBUG: DLL loaded at 0x6B4E0000: C:\Windows\system32\P2P (0x38000 bytes).
2020-06-22 08:29:18,609 [root] DEBUG: DLL loaded at 0x6A2B0000: C:\Windows\system32\P2PCOLLAB (0x68000 bytes).
2020-06-22 08:29:18,609 [root] DEBUG: DLL loaded at 0x678C0000: C:\Windows\system32\WLANCFG (0x2e000 bytes).
2020-06-22 08:29:18,625 [root] DEBUG: DLL loaded at 0x6B6C0000: C:\Windows\system32\wlanhlp (0x17000 bytes).
2020-06-22 08:29:18,625 [root] DEBUG: DLL loaded at 0x68BA0000: C:\Windows\system32\WWANCFG (0xd000 bytes).
2020-06-22 08:29:18,625 [root] DEBUG: DLL loaded at 0x73100000: C:\Windows\system32\wwapi (0xa000 bytes).
2020-06-22 08:29:18,640 [root] DEBUG: DLL loaded at 0x674D0000: C:\Windows\system32\PEERDISTSH (0xa5000 bytes).
2020-06-22 08:29:18,640 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-22 08:29:18,656 [root] DEBUG: set_caller_info: Adding region at 0x756F0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-22 08:29:18,656 [root] DEBUG: set_caller_info: Calling region at 0x756F0000 skipped.
2020-06-22 08:29:18,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x324 amd local view 0x01470000 to global list.
2020-06-22 08:29:18,671 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 08:29:18,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x32c amd local view 0x028A0000 to global list.
2020-06-22 08:29:18,750 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-22 08:29:18,750 [root] DEBUG: DLL loaded at 0x6CAF0000: C:\Windows\System32\QAgent (0x2e000 bytes).
2020-06-22 08:29:18,765 [root] DEBUG: set_caller_info: Adding region at 0x6CAF0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-22 08:29:18,765 [root] DEBUG: set_caller_info: Calling region at 0x6CAF0000 skipped.
2020-06-22 08:29:18,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x368 amd local view 0x02EF0000 to global list.
2020-06-22 08:29:18,875 [root] DEBUG: DLL unloaded from 0x6E440000.
2020-06-22 08:29:18,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x36c amd local view 0x68AB0000 to global list.
2020-06-22 08:29:18,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68290000 for section view with handle 0x36c.
2020-06-22 08:29:19,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68AB0000 for section view with handle 0x36c.
2020-06-22 08:29:19,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68290000 for section view with handle 0x36c.
2020-06-22 08:29:19,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68AB0000 for section view with handle 0x36c.
2020-06-22 08:29:19,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68290000 for section view with handle 0x36c.
2020-06-22 08:29:19,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68AB0000 for section view with handle 0x36c.
2020-06-22 08:29:19,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68290000 for section view with handle 0x36c.
2020-06-22 08:29:19,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x678A0000 for section view with handle 0x36c.
2020-06-22 08:29:19,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67880000 for section view with handle 0x36c.
2020-06-22 08:29:19,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67880000 for section view with handle 0x36c.
2020-06-22 08:29:19,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x02F00000 for section view with handle 0x36c.
2020-06-22 08:29:19,546 [root] DEBUG: set_caller_info: Adding region at 0x751C0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 08:29:19,546 [root] DEBUG: set_caller_info: Calling region at 0x751C0000 skipped.
2020-06-22 08:29:19,546 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 08:29:19,562 [root] DEBUG: set_caller_info: Adding region at 0x74F50000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 08:29:19,562 [root] DEBUG: set_caller_info: Calling region at 0x74F50000 skipped.
2020-06-22 08:29:19,593 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-22 08:29:19,593 [root] DEBUG: set_caller_info: Adding region at 0x75790000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-22 08:29:19,609 [root] DEBUG: set_caller_info: Calling region at 0x75790000 skipped.
2020-06-22 08:29:19,625 [root] DEBUG: set_caller_info: Adding region at 0x678F0000 to caller regions list (ws2_32::WSAStartup).
2020-06-22 08:29:19,625 [root] DEBUG: set_caller_info: Calling region at 0x678F0000 skipped.
2020-06-22 08:29:19,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3c0 amd local view 0x02F00000 to global list.
2020-06-22 08:29:19,656 [root] DEBUG: set_caller_info: Adding region at 0x674D0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 08:29:19,656 [root] DEBUG: set_caller_info: Calling region at 0x674D0000 skipped.
2020-06-22 08:29:19,671 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-06-22 08:29:19,671 [root] DEBUG: set_caller_info: Adding region at 0x74DB0000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-22 08:29:19,687 [root] DEBUG: set_caller_info: Calling region at 0x74DB0000 skipped.
2020-06-22 08:29:19,718 [root] DEBUG: DLL loaded at 0x75290000: C:\Windows\system32\bcryptprimitives (0x3d000 bytes).
2020-06-22 08:29:19,734 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-22 08:29:19,781 [root] DEBUG: set_caller_info: Adding region at 0x678C0000 to caller regions list (ntdll::memcpy).
2020-06-22 08:29:19,781 [root] DEBUG: set_caller_info: Calling region at 0x678C0000 skipped.
2020-06-22 08:29:19,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f8 amd local view 0x02F10000 to global list.
2020-06-22 08:29:19,843 [root] DEBUG: DLL unloaded from 0x6CAF0000.
2020-06-22 08:29:19,859 [root] DEBUG: set_caller_info: Adding region at 0x76130000 to caller regions list (advapi32::RegCloseKey).
2020-06-22 08:29:19,875 [root] DEBUG: set_caller_info: Calling region at 0x76130000 skipped.
2020-06-22 08:29:19,890 [root] DEBUG: DLL unloaded from 0x74DB0000.
2020-06-22 08:29:19,890 [root] DEBUG: DLL unloaded from 0x74DD0000.
2020-06-22 08:29:19,906 [root] DEBUG: DLL unloaded from 0x012D0000.
2020-06-22 08:29:19,906 [root] DEBUG: DLL unloaded from 0x6B5E0000.
2020-06-22 08:29:19,921 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-06-22 08:29:19,937 [root] DEBUG: DLL unloaded from 0x6A8E0000.
2020-06-22 08:29:19,984 [root] DEBUG: DLL unloaded from 0x67C20000.
2020-06-22 08:29:20,000 [root] DEBUG: DLL unloaded from 0x6ED40000.
2020-06-22 08:29:20,000 [root] DEBUG: DLL unloaded from 0x73970000.
2020-06-22 08:29:20,000 [root] DEBUG: DLL unloaded from 0x6E440000.
2020-06-22 08:29:20,031 [root] DEBUG: DLL unloaded from 0x6ED30000.
2020-06-22 08:29:20,078 [root] DEBUG: DLL unloaded from 0x6B4D0000.
2020-06-22 08:29:20,109 [root] DEBUG: DLL unloaded from 0x6B430000.
2020-06-22 08:29:20,125 [root] DEBUG: DLL unloaded from 0x68BC0000.
2020-06-22 08:29:20,140 [root] DEBUG: DLL unloaded from 0x6AE30000.
2020-06-22 08:29:20,187 [root] DEBUG: DLL unloaded from 0x6A340000.
2020-06-22 08:29:20,218 [root] DEBUG: DLL unloaded from 0x6A860000.
2020-06-22 08:29:20,281 [root] DEBUG: DLL unloaded from 0x6A7F0000.
2020-06-22 08:29:20,328 [root] DEBUG: DLL unloaded from 0x6A7E0000.
2020-06-22 08:29:20,328 [root] DEBUG: DLL unloaded from 0x6A3F0000.
2020-06-22 08:29:20,359 [root] DEBUG: DLL unloaded from 0x68AC0000.
2020-06-22 08:29:20,375 [root] DEBUG: DLL unloaded from 0x67B60000.
2020-06-22 08:29:20,484 [root] DEBUG: DLL unloaded from 0x67A00000.
2020-06-22 08:29:20,609 [root] DEBUG: DLL unloaded from 0x68BB0000.
2020-06-22 08:29:20,640 [root] DEBUG: DLL unloaded from 0x678F0000.
2020-06-22 08:29:20,687 [root] DEBUG: set_caller_info: Adding region at 0x6B4E0000 to caller regions list (ntdll::NtClose).
2020-06-22 08:29:20,718 [root] DEBUG: set_caller_info: Calling region at 0x6B4E0000 skipped.
2020-06-22 08:29:20,718 [root] DEBUG: set_caller_info: Adding region at 0x6A2B0000 to caller regions list (ntdll::NtClose).
2020-06-22 08:29:20,750 [root] DEBUG: set_caller_info: Calling region at 0x6A2B0000 skipped.
2020-06-22 08:29:20,781 [root] DEBUG: DLL unloaded from 0x678C0000.
2020-06-22 08:29:20,781 [root] DEBUG: set_caller_info: Adding region at 0x6B6C0000 to caller regions list (ntdll::NtClose).
2020-06-22 08:29:20,796 [root] DEBUG: set_caller_info: Calling region at 0x6B6C0000 skipped.
2020-06-22 08:29:20,890 [root] DEBUG: DLL unloaded from 0x68BA0000.
2020-06-22 08:29:20,906 [root] DEBUG: set_caller_info: Adding region at 0x68BA0000 to caller regions list (ntdll::NtClose).
2020-06-22 08:29:20,906 [root] DEBUG: set_caller_info: Calling region at 0x68BA0000 skipped.
2020-06-22 08:29:20,921 [root] DEBUG: set_caller_info: Adding region at 0x73100000 to caller regions list (ntdll::NtClose).
2020-06-22 08:29:20,921 [root] DEBUG: set_caller_info: Calling region at 0x73100000 skipped.
2020-06-22 08:29:20,953 [root] DEBUG: DLL unloaded from 0x674D0000.
2020-06-22 08:29:20,984 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3608
2020-06-22 08:29:20,984 [root] DEBUG: GetHookCallerBase: thread 5008 (handle 0x0), return address 0x012D16C6, allocation base 0x012D0000.
2020-06-22 08:29:20,984 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x012D0000.
2020-06-22 08:29:20,984 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 08:29:21,000 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x012D0000.
2020-06-22 08:29:21,000 [root] DEBUG: DumpProcess: Module entry point VA is 0x00003CBD.
2020-06-22 08:29:21,078 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x17800.
2020-06-22 08:29:21,078 [root] DEBUG: set_caller_info: Adding region at 0x75290000 to caller regions list (ntdll::NtSetInformationThread).
2020-06-22 08:29:21,093 [root] DEBUG: set_caller_info: Calling region at 0x75290000 skipped.
2020-06-22 08:29:21,093 [root] DEBUG: DLL unloaded from 0x75290000.
2020-06-22 08:29:21,437 [root] DEBUG: DLL loaded at 0x6ED40000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-22 08:29:21,453 [root] DEBUG: DLL unloaded from 0x75D90000.
2020-06-22 08:29:22,078 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-22 08:29:22,078 [lib.api.process] INFO: Monitor config for process 460: C:\tmp52sk_on6\dll\460.ini
2020-06-22 08:29:22,156 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:29:22,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:29:22,281 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:22,328 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD4000 Local PEB 0x7FFDE000 Local TEB 0x7FFDF000: The operation completed successfully.
2020-06-22 08:29:22,406 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2484, handle 0xa4
2020-06-22 08:29:22,421 [root] DEBUG: Process image base: 0x009A0000
2020-06-22 08:29:22,468 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-22 08:29:22,484 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-22 08:29:22,531 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:29:22,578 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 08:29:22,671 [root] INFO: Disabling sleep skipping.
2020-06-22 08:29:22,671 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 460 at 0x6ae60000, image base 0x9a0000, stack from 0xa86000-0xa90000
2020-06-22 08:29:22,703 [root] DEBUG: Commandline: C:\Windows\System32\services.exe.
2020-06-22 08:29:22,734 [root] INFO: Loaded monitor into process with pid 460
2020-06-22 08:29:22,734 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 08:29:22,750 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 08:29:22,765 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:23,843 [root] INFO: Announced 32-bit process name: lsass.exe pid: 4888
2020-06-22 08:29:23,843 [lib.api.process] INFO: Monitor config for process 4888: C:\tmp52sk_on6\dll\4888.ini
2020-06-22 08:29:23,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:29:23,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:29:23,890 [root] DEBUG: Loader: Injecting process 4888 (thread 2600) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:23,890 [root] DEBUG: Process image base: 0x00DD0000
2020-06-22 08:29:23,890 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:23,906 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 08:29:23,906 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:23,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4888
2020-06-22 08:29:23,921 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-22 08:29:23,953 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4888, ImageBase: 0x00DD0000
2020-06-22 08:29:23,968 [root] INFO: Announced 32-bit process name: lsass.exe pid: 4888
2020-06-22 08:29:23,968 [lib.api.process] INFO: Monitor config for process 4888: C:\tmp52sk_on6\dll\4888.ini
2020-06-22 08:29:23,968 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\pxDqBI.dll, loader C:\tmp52sk_on6\bin\WurclSn.exe
2020-06-22 08:29:24,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\cMezuYkS.
2020-06-22 08:29:24,093 [root] DEBUG: Loader: Injecting process 4888 (thread 2600) with C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:24,140 [root] DEBUG: Process image base: 0x00DD0000
2020-06-22 08:29:24,203 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:24,249 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-22 08:29:24,265 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\pxDqBI.dll.
2020-06-22 08:29:24,281 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4888
2020-06-22 08:29:24,312 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4888.
2020-06-22 08:29:24,390 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 08:29:24,421 [root] INFO: Disabling sleep skipping.
2020-06-22 08:29:24,437 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 08:29:24,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4888 at 0x6ae60000, image base 0xdd0000, stack from 0x146000-0x150000
2020-06-22 08:29:55,703 [root] INFO: Process with pid 4888 has terminated
2020-06-22 08:30:07,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x288 amd local view 0x6ED30000 to global list.
2020-06-22 08:30:07,906 [root] DEBUG: DLL loaded at 0x6ED30000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-22 08:31:05,703 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4536.
2020-06-22 08:31:08,734 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-22 08:31:08,734 [lib.api.process] INFO: Terminate event set for process 4536
2020-06-22 08:31:08,734 [root] DEBUG: Terminate Event: Attempting to dump process 4536
2020-06-22 08:31:13,750 [lib.api.process] INFO: Termination confirmed for process 4536
2020-06-22 08:31:13,750 [root] INFO: Terminate event set for process 4536.
2020-06-22 08:31:13,750 [lib.api.process] INFO: Terminate event set for process 584
2020-06-22 08:31:18,765 [lib.api.process] INFO: Termination confirmed for process 584
2020-06-22 08:31:18,765 [root] INFO: Terminate event set for process 584.
2020-06-22 08:31:18,765 [lib.api.process] INFO: Terminate event set for process 1920
2020-06-22 08:31:21,890 [root] DEBUG: Terminate Event: Attempting to dump process 584
2020-06-22 08:31:21,937 [root] DEBUG: Terminate Event: Attempting to dump process 1920
2020-06-22 08:31:23,796 [lib.api.process] INFO: Termination confirmed for process 1920
2020-06-22 08:31:23,796 [root] INFO: Terminate event set for process 1920.
2020-06-22 08:31:23,796 [lib.api.process] ERROR: Failed to open terminate event for pid 3608
2020-06-22 08:31:23,796 [root] INFO: Terminate event set for process 3608.
2020-06-22 08:31:23,796 [lib.api.process] INFO: Terminate event set for process 460
2020-06-22 08:31:27,968 [root] DEBUG: Terminate Event: Attempting to dump process 460
2020-06-22 08:31:27,984 [lib.api.process] INFO: Termination confirmed for process 460
2020-06-22 08:31:27,984 [root] INFO: Terminate event set for process 460.
2020-06-22 08:31:27,984 [root] INFO: Created shutdown mutex.
2020-06-22 08:31:28,984 [root] INFO: Shutting down package.
2020-06-22 08:31:28,984 [root] INFO: Stopping auxiliary modules.
2020-06-22 08:31:53,906 [lib.common.results] WARNING: File C:\JbXQQGVZD\bin\procmon.xml doesn't exist anymore
2020-06-22 08:31:53,906 [root] INFO: Finishing auxiliary modules.
2020-06-22 08:31:53,906 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-22 08:31:53,968 [root] WARNING: Folder at path "C:\JbXQQGVZD\debugger" does not exist, skip.
2020-06-22 08:31:54,000 [root] WARNING: Monitor injection attempted but failed for process 4888.
2020-06-22 08:31:54,000 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-06-22 14:11:39 2020-06-22 14:18:16

File Details

File Name Order No. BCM190282..exe
File Size 469504 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-22 06:21:47
MD5 5ee539aad0490934cc676d14fef888b1
SHA1 18d8ff26436ff04ba1f81244737cd8ac24f87ad4
SHA256 75534d6e551410ef69df2b311cb9fc40ff9c7d7f978ceb45158f70b67036cee6
SHA512 a6bef3124cd2e9ce69aac228c33905cef6675526723d2880fed6cc559f8645c6ecd2980c622b04bc99c758e5cd06d3642bf3833ce8d1532b92014898b54283e0
CRC32 7A8F4947
Ssdeep 12288:SNGe88F/6cLzWUKCzb6epYdfRzkjEK0cS:SNGe8ILF1H6gCzkj/0B
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 5164 trigged the Yara rule 'AgentTeslaV2'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: Order No. BCM190282..exe tried to sleep 762.04 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SystemParametersInfo
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: KERNEL32.dll/FindAtom
DynamicLoader: KERNEL32.dll/FindAtomW
DynamicLoader: KERNEL32.dll/AddAtom
DynamicLoader: KERNEL32.dll/AddAtomW
DynamicLoader: MSCOREE.DLL/LoadLibraryShim
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: USER32.dll/SystemParametersInfo
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: gdiplus.dll/GdipCreateFontFamilyFromName
DynamicLoader: gdiplus.dll/GdipGetFamilyName
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetMapMode
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: USER32.dll/DrawTextExWW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/GetMonitorInfo
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: GDI32.dll/CreateDC
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: USER32.dll/GetDoubleClickTime
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromScan0
DynamicLoader: gdiplus.dll/GdipGetImagePixelFormat
DynamicLoader: gdiplus.dll/GdipGetImageGraphicsContext
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: gdiplus.dll/GdipGraphicsClear
DynamicLoader: gdiplus.dll/GdipCreateImageAttributes
DynamicLoader: gdiplus.dll/GdipSetImageAttributesColorKeys
DynamicLoader: gdiplus.dll/GdipDrawImageRectRectI
DynamicLoader: gdiplus.dll/GdipDisposeImageAttributes
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: gdiplus.dll/GdipGetLogFontW
DynamicLoader: MSCOREE.DLL/ND_WU1
DynamicLoader: mscoreei.dll/ND_WU1_RetAddr
DynamicLoader: mscoreei.dll/ND_WU1
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: GDI32.dll/GetTextExtentPoint32W
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: KERNEL32.dll/OpenMutex
DynamicLoader: KERNEL32.dll/OpenMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DestroyWindowW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: KERNEL32.dll/DeleteAtom
DynamicLoader: KERNEL32.dll/DeleteAtomW
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: USER32.dll/DestroyIcon
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: KERNEL32.dll/GetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/SetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: MSCOREE.DLL/GetTokenForVTableEntry
DynamicLoader: MSCOREE.DLL/SetTargetForVTableEntry
DynamicLoader: MSCOREE.DLL/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: KERNEL32.dll/GetLastError
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: OLEAUT32.dll/VariantInit
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/ZeroMemory
DynamicLoader: KERNEL32.dll/ZeroMemoryA
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: KERNEL32.dll/CreateIoCompletionPort
DynamicLoader: KERNEL32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetSystemTimeAsFileTime
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: KERNEL32.dll/GetModuleFileNameA
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/MoveFileExW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/FindNextFile
DynamicLoader: KERNEL32.dll/FindNextFileW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/ZeroMemory
DynamicLoader: KERNEL32.dll/ZeroMemoryA
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: crypt32.dll/CryptUnprotectData
DynamicLoader: crypt32.dll/CryptUnprotectDataW
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: cryptbase.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CreatePipe
DynamicLoader: KERNEL32.dll/CreatePipeW
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentDirectory
DynamicLoader: KERNEL32.dll/GetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetConsoleOutputCP
DynamicLoader: KERNEL32.dll/GetConsoleOutputCPW
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: RASMONTR.DLL/InitHelperDll
DynamicLoader: NSHWFP.DLL/InitHelperDll
DynamicLoader: DHCPCMONITOR.DLL/InitHelperDll
DynamicLoader: WSHELPER.DLL/InitHelperDll
DynamicLoader: NSHHTTP.DLL/InitHelperDll
DynamicLoader: FWCFG.DLL/InitHelperDll
DynamicLoader: AUTHFWCFG.DLL/InitHelperDll
DynamicLoader: IFMON.DLL/InitHelperDll
DynamicLoader: NETIOHLP.DLL/InitHelperDll
DynamicLoader: WHHELPER.DLL/InitHelperDll
DynamicLoader: HNETMON.DLL/InitHelperDll
DynamicLoader: RPCNSH.DLL/InitHelperDll
DynamicLoader: DOT3CFG.DLL/InitHelperDll
DynamicLoader: NAPMONTR.DLL/InitHelperDll
DynamicLoader: NSHIPSEC.DLL/InitHelperDll
DynamicLoader: NETTRACE.DLL/InitHelperDll
DynamicLoader: WCNNETSH.DLL/InitHelperDll
DynamicLoader: P2PNETSH.DLL/InitHelperDll
DynamicLoader: WLANCFG.DLL/InitHelperDll
DynamicLoader: WWANCFG.DLL/InitHelperDll
DynamicLoader: PEERDISTSH.DLL/InitHelperDll
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: CRYPTSP.dll/CryptEnumProvidersW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: HTTPAPI.dll/HttpInitialize
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: USERENV.dll/UnregisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: HTTPAPI.dll/HttpTerminate
DynamicLoader: GPAPI.dll/UnregisterGPNotificationInternal
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
A process created a hidden window
Process: Order No. BCM190282..exe -> "netsh" wlan show profile
CAPE extracted potentially suspicious content
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Injected Shellcode/Data
Order No. BCM190282..exe: AgentTeslaV2 Payload: 32-bit executable
Order No. BCM190282..exe: AgentTeslaV2
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Injected Shellcode/Data
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Order No. BCM190282..exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.85, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00072000, virtual_size: 0x00071eb8
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe
Uses Windows utilities for basic functionality
command: "netsh" wlan show profile
Behavioural detection: Injection (Process Hollowing)
Injection: Order No. BCM190282..exe(5164) -> Order No. BCM190282..exe(4536)
Executed a process and injected code into it, probably while unpacking
Injection: Order No. BCM190282..exe(5164) -> Order No. BCM190282..exe(4536)
Deletes its original binary from disk
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (460) called API GetSystemTimeAsFileTime 9392351 times
Steals private information from local Internet browsers
file: C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
CAPE detected the AgentTeslaV2 malware family
File has been identified by 17 Antiviruses on VirusTotal as malicious
FireEye: Generic.mg.5ee539aad0490934
Cylance: Unsafe
Sangfor: Malware
Cybereason: malicious.6436ff
Invincea: heuristic
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
McAfee-GW-Edition: BehavesLike.Win32.Generic.gc
Trapmine: suspicious.low.ml.score
Ikarus: Win32.Outbreak
eGambit: Unsafe.AI_Score_99%
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Sonbokli.A!cl
ZoneAlarm: UDS:DangerousObject.Multi.Generic
APEX: Malicious
MaxSecure: Trojan.Malware.300983.susgen
CrowdStrike: win/malicious_confidence_90% (W)
Harvests credentials from local FTP client softwares
file: C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file: C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Rebecca\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe.config
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index38e.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..config
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..INI
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Globalization\en-us.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\calibrili.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\cambria.ttc
C:\Windows\Fonts\Candara.ttf
C:\Windows\Fonts\consola.ttf
C:\Windows\Fonts\constan.ttf
C:\Windows\Fonts\corbel.ttf
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\cambriab.ttf
C:\Windows\Fonts\cambriai.ttf
C:\Windows\Fonts\cambriaz.ttf
C:\Windows\Fonts\Candarab.ttf
C:\Windows\Fonts\Candarai.ttf
C:\Windows\Fonts\Candaraz.ttf
C:\Windows\Fonts\consolab.ttf
C:\Windows\Fonts\consolai.ttf
C:\Windows\Fonts\consolaz.ttf
C:\Windows\Fonts\constanb.ttf
C:\Windows\Fonts\constani.ttf
C:\Windows\Fonts\constanz.ttf
C:\Windows\Fonts\corbelb.ttf
C:\Windows\Fonts\corbeli.ttf
C:\Windows\Fonts\corbelz.ttf
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\staticcache.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\Rebecca\AppData\Local\Temp\en-US\eluugEKZi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\eluugEKZi.resources\eluugEKZi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\eluugEKZi.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\eluugEKZi.resources\eluugEKZi.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Globalization\en.nlp
C:\Users\Rebecca\AppData\Local\Temp\en\eluugEKZi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\eluugEKZi.resources\eluugEKZi.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\eluugEKZi.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\eluugEKZi.resources\eluugEKZi.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V2.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V2.resources\ReZer0V2.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V2.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\ReZer0V2.resources\ReZer0V2.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V2.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V2.resources\ReZer0V2.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V2.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\ReZer0V2.resources\ReZer0V2.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.5164.2444312
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.5164.2444312
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.5164.2444328
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\aa404966f6e5a3d1f9d0fe3ba1d13ec1\CustomMarshalers.ni.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.INI
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\oleaut32.DLL
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\%insfolder%\%insname%
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Users\Rebecca\AppData\Local\Temp\tmpG562.tmp
C:\Users\Rebecca\AppData\Local\7Star\7Star\User Data
C:\Users\Rebecca\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Rebecca\AppData\Local\Orbitum\User Data
C:\Users\Rebecca\AppData\Local\Kometa\User Data
C:\Users\Rebecca\AppData\Local\Chromium\User Data
C:\Users\Rebecca\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Rebecca\AppData\Local\Vivaldi\User Data
C:\Users\Rebecca\AppData\Local\CocCoc\Browser\User Data
C:\Users\Rebecca\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Rebecca\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Rebecca\AppData\Local\Torch\User Data
C:\Users\Rebecca\AppData\Local\CentBrowser\User Data
C:\Users\Rebecca\AppData\Local\liebao\User Data
C:\Users\Rebecca\AppData\Local\Iridium\User Data
C:\Users\Rebecca\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Rebecca\AppData\Local\Coowon\Coowon\User Data
C:\Users\Rebecca\AppData\Local\Amigo\User Data
C:\Users\Rebecca\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Rebecca\AppData\Local\Chedot\User Data
C:\Users\Rebecca\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Rebecca\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Rebecca\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Rebecca\AppData\Local\QIP Surf\User Data
C:\Users\Rebecca\AppData\Local\Comodo\Dragon\User Data
C:\Users\Rebecca\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Rebecca\AppData\Local\Elements Browser\User Data
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Local\Temp\Folder.lst
C:\cftp\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Pocomail\accounts.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\FTP Navigator\Ftplist.txt
C:\Program Files\jDownloader\config\database.script
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Psi\profiles
C:\Users\Rebecca\AppData\Roaming\Psi+\profiles
C:\Users\Rebecca\AppData\Roaming\The Bat!
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Rebecca\AppData\Local\UCBrowser\*
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\*
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\51fb28e8a54a8d8f6021415d47477ab4\System.Security.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.INI
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Local State
C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\crypt32.dll
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\logins.json
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\signons.sqlite
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
\Device\NamedPipe\
C:\Users\Rebecca\AppData\Local\Microsoft\Edge\User Data
C:\Users\Rebecca\AppData\Local\Temp\vaultcli.dll
C:\Users\Rebecca\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Rebecca\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Program Files\Common Files\Apple\Apple Application Support\plutil.exe
C:\Storage\
C:\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\Users\Rebecca\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Claws-mail
C:\Users\Rebecca\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\credui.dll
\Device\Http\Communication
C:\Windows\System32\en-US\FWCFG.DLL.mui
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\QAGENTRT.DLL
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\fveui.dll
C:\Windows\System32\wuaueng.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Windows\System32\DHCPQEC.DLL
C:\Windows\System32\en-US\DhcpQEC.dll.mui
C:\Windows\System32\napipsec.dll
C:\Windows\System32\en-US\napipsec.dll.mui
C:\Windows\System32\tsgqec.dll
C:\Windows\System32\en-US\tsgqec.dll.mui
C:\Windows\System32\EAPQEC.DLL
C:\Windows\System32\en-US\eapqec.dll.mui
C:\Windows\System32\en-US\P2PNETSH.DLL.mui
C:\Windows\System32\en-US\WLANCFG.DLL.mui
C:\Windows\Temp
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe.config
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index38e.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\cambria.ttc
C:\Windows\Fonts\Candara.ttf
C:\Windows\Fonts\consola.ttf
C:\Windows\Fonts\constan.ttf
C:\Windows\Fonts\corbel.ttf
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\cambriab.ttf
C:\Windows\Fonts\cambriai.ttf
C:\Windows\Fonts\cambriaz.ttf
C:\Windows\Fonts\Candarab.ttf
C:\Windows\Fonts\Candarai.ttf
C:\Windows\Fonts\Candaraz.ttf
C:\Windows\Fonts\consolab.ttf
C:\Windows\Fonts\consolai.ttf
C:\Windows\Fonts\consolaz.ttf
C:\Windows\Fonts\constanb.ttf
C:\Windows\Fonts\constani.ttf
C:\Windows\Fonts\constanz.ttf
C:\Windows\Fonts\corbelb.ttf
C:\Windows\Fonts\corbeli.ttf
C:\Windows\Fonts\corbelz.ttf
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\staticcache.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\aa404966f6e5a3d1f9d0fe3ba1d13ec1\CustomMarshalers.ni.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..config
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\51fb28e8a54a8d8f6021415d47477ab4\System.Security.ni.dll
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Local State
\Device\KsecDD
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
\Device\NamedPipe\
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\credui.dll
\Device\Http\Communication
C:\Windows\System32\en-US\FWCFG.DLL.mui
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Windows\System32\en-US\DhcpQEC.dll.mui
C:\Windows\System32\napipsec.dll
C:\Windows\System32\en-US\napipsec.dll.mui
C:\Windows\System32\tsgqec.dll
C:\Windows\System32\en-US\tsgqec.dll.mui
C:\Windows\System32\EAPQEC.DLL
C:\Windows\System32\en-US\eapqec.dll.mui
C:\Windows\System32\en-US\P2PNETSH.DLL.mui
C:\Windows\System32\en-US\WLANCFG.DLL.mui
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Rebecca\AppData\Local\Temp\tmpG562.tmp
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\Device\Http\Communication
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.5164.2444312
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.5164.2444312
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.5164.2444328
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Order No. BCM190282..exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7cfb93d6\56925b94
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x1e8\x161EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\10647a6d\40cc05f7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|Order No. BCM190282..exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|Order No. BCM190282..exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|Order No. BCM190282..exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\10647a6d\228607f5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\25fd5cf0\fe3ad34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\25fd5cf0\21bb12f8
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Order No. BCM190282..exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\8305EF5B
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\cd3b9df\248e3bdf
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\MissingDependencies
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\DisabledComponents
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iphlpsvc\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\config\Connectivity_Platform_Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NapAgent\LocalConfig
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enable Tracing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Tracing Level
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79617
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\PlumbIpsecPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79619
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79621
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79623
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI
HKEY_CURRENT_USER\Software\Classes\AppID\netsh.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetTrace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetTrace\Scenarios
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\NetTrace
HKEY_CURRENT_USER\System\CurrentControlSet\Control\NetTrace\Session
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetTrace\DebugFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\PolicyProvider
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service\PolicyRefreshInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\TransportDllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\CryptoAlgo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager\Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager\Download
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\Download
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager\Discovery
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\Discovery
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager\Upload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\Upload
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager\UtilityIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\UtilityIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DownloadManager\Peers\Connection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\Peers\Connection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\SecurityManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\BlockSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\NumBlocksPerSegment
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\SecurityManager\Restricted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\Restricted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\Restricted\Seed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\CacheMgr\Republication
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Publication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\CacheMgr\Publication
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\HandleMgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HandleMgr
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\ServerRole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\ClientAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\TransportDllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxSimultaneousDownloads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxSimultaneousUploads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxPendingOffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxPendingDownloads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\DoNotUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\CooperativeCaching
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\DiscoveryManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager\RepubQuorumSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager\MinBackoffWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager\DiscoveryProviderDllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\Publisher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Publisher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\Roaming
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\ForceRoamingDetect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\RefreshDllName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\RefreshProcName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x1e8\x161EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\a4\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\58\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\b5\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\63\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\bb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\8305EF5B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\28\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\6c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\34724983\16\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\9e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\52\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\b4\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\75\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\64\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\71\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\DisabledComponents
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\config\Connectivity_Platform_Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enable Tracing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Tracing Level
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\PlumbIpsecPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetTrace\DebugFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service\PolicyRefreshInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\TransportDllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager\CryptoAlgo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\BlockSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\NumBlocksPerSegment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\SecurityManager\Restricted\Seed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\ServerRole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\ClientAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\TransportDllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxSimultaneousDownloads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxSimultaneousUploads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxPendingOffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\MaxPendingDownloads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\DoNotUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager\RepubQuorumSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager\MinBackoffWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager\DiscoveryProviderDllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\ForceRoamingDetect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\RefreshDllName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\RefreshProcName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetUserDefaultUILanguage
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.SystemParametersInfoW
user32.dll.GetDC
kernel32.dll.GetCurrentProcessId
kernel32.dll.FindAtomW
kernel32.dll.AddAtomW
mscoree.dll.LoadLibraryShim
mscoreei.dll.LoadLibraryShim
gdiplus.dll.GdiplusStartup
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
kernel32.dll.RegEnumValueW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontSize
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipCreateFont
kernel32.dll.GetSystemDefaultLCID
gdi32.dll.GetObjectW
kernel32.dll.RegQueryInfoKeyW
gdiplus.dll.GdipDeleteFont
gdiplus.dll.GdipCreateFontFamilyFromName
gdiplus.dll.GdipGetFamilyName
gdi32.dll.CreateCompatibleDC
gdi32.dll.GetCurrentObject
gdi32.dll.SaveDC
gdi32.dll.GetDeviceCaps
gdi32.dll.CreateFontIndirectW
gdi32.dll.SelectObject
gdi32.dll.GetMapMode
gdi32.dll.GetTextMetricsW
user32.dll.DrawTextExW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
user32.dll.MonitorFromRect
user32.dll.GetMonitorInfoW
gdi32.dll.CreateDCW
gdi32.dll.DeleteDC
user32.dll.GetDoubleClickTime
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipCreateBitmapFromScan0
gdiplus.dll.GdipGetImagePixelFormat
gdiplus.dll.GdipGetImageGraphicsContext
user32.dll.GetSysColor
gdiplus.dll.GdipGraphicsClear
gdiplus.dll.GdipCreateImageAttributes
gdiplus.dll.GdipSetImageAttributesColorKeys
gdiplus.dll.GdipDrawImageRectRectI
gdiplus.dll.GdipDisposeImageAttributes
gdiplus.dll.GdipDisposeImage
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
culture.dll.ConvertLangIdToCultureName
user32.dll.CreateIconFromResourceEx
gdiplus.dll.GdipGetLogFontW
mscoree.dll.ND_WU1
mscoreei.dll.ND_WU1
gdi32.dll.GetTextExtentPoint32W
user32.dll.GetCursorPos
user32.dll.MonitorFromPoint
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipBitmapGetPixel
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.SwitchToThread
kernel32.dll.OpenMutexW
kernel32.dll.CloseHandle
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
ole32.dll.CoWaitForMultipleHandles
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
user32.dll.IsWindow
user32.dll.DestroyWindow
kernel32.dll.DeleteAtom
gdi32.dll.RestoreDC
gdi32.dll.DeleteObject
user32.dll.DestroyIcon
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
cryptsp.dll.CryptReleaseContext
advapi32.dll.EventUnregister
bcrypt.dll.BCryptGetFipsAlgorithmMode
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
cryptsp.dll.CryptCreateHash
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
ole32.dll.MkParseDisplayName
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
oleaut32.dll.#9
oleaut32.dll.#4
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.GetLastError
kernel32.dll.LocalAlloc
oleaut32.dll.VariantInit
oleaut32.dll.VariantClear
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.IIDFromString
kernel32.dll.LoadLibraryA
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
ole32.dll.CoUninitialize
oleaut32.dll.#500
oleaut32.dll.#7
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtGetCurrentProcessorNumber
kernel32.dll.GetSystemTimeAsFileTime
user32.dll.GetLastInputInfo
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetTempPathW
kernel32.dll.MoveFileExW
shfolder.dll.SHGetFolderPathW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
ole32.dll.CLSIDFromProgIDEx
oleaut32.dll.#2
oleaut32.dll.#6
kernel32.dll.FindNextFileW
oleaut32.dll.#204
oleaut32.dll.#203
oleaut32.dll.#179
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.LocalFree
crypt32.dll.CryptUnprotectData
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.NdrClientCall2
cryptbase.dll.SystemFunction041
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
kernel32.dll.GetStdHandle
kernel32.dll.CreatePipe
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetConsoleOutputCP
vaultcli.dll.VaultEnumerateVaults
oleaut32.dll.#201
ole32.dll.CoCreateGuid
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.StringFromCLSID
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegSetValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoRevertToSelf
ole32.dll.CoSwitchCallContext
sspicli.dll.LogonUserExExW
comctl32.dll.#320
comctl32.dll.#324
rasmontr.dll.InitHelperDll
nshwfp.dll.InitHelperDll
dhcpcmonitor.dll.InitHelperDll
wshelper.dll.InitHelperDll
nshhttp.dll.InitHelperDll
fwcfg.dll.InitHelperDll
authfwcfg.dll.InitHelperDll
ifmon.dll.InitHelperDll
netiohlp.dll.InitHelperDll
whhelper.dll.InitHelperDll
hnetmon.dll.InitHelperDll
rpcnsh.dll.InitHelperDll
dot3cfg.dll.InitHelperDll
napmontr.dll.InitHelperDll
nshipsec.dll.InitHelperDll
nettrace.dll.InitHelperDll
wcnnetsh.dll.InitHelperDll
p2pnetsh.dll.InitHelperDll
wlancfg.dll.InitHelperDll
wwancfg.dll.InitHelperDll
peerdistsh.dll.InitHelperDll
cryptsp.dll.CryptEnumProvidersW
user32.dll.LoadStringW
advapi32.dll.RegCreateKeyExW
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceConfigW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceStatus
httpapi.dll.HttpInitialize
userenv.dll.RegisterGPNotification
userenv.dll.UnregisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
bcryptprimitives.dll.GetHashInterface
bcryptprimitives.dll.GetCipherInterface
kernel32.dll.SetThreadUILanguage
httpapi.dll.HttpTerminate
gpapi.dll.UnregisterGPNotificationInternal
comctl32.dll.#388
"{path}"
C:\Users\Rebecca\AppData\Local\Temp\Order No. BCM190282..exe "{path}"
"netsh" wlan show profile
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
Global\CLR_CASOFF_MUTEX
DElTUylWIqHnB
VaultSvc

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00473e12 0x00000000 0x00081602 4.0 2020-06-22 06:21:47 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00071eb8 0x00072000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.85
.rsrc 0x00072200 0x00074000 0x000005c4 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.12
.reloc 0x00072800 0x00076000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x00074090 0x00000334 LANG_NEUTRAL SUBLANG_NEUTRAL 3.29 None
RT_MANIFEST 0x000743d4 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name eluugEKZi
Version 1.0.0.0

Assembly References

Name Version
mscorlib 2.0.0.0
System.Windows.Forms 2.0.0.0
System 2.0.0.0
System.Drawing 2.0.0.0
Microsoft.VisualBasic 8.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute VersiveProje
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute VersiveProje
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute e18d6f71-62a1-4f88-9c11-4beabf6d24
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.0.0

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Object
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
mscorlib System.Enum
System.Windows.Forms System.Windows.Forms.Form
System.Windows.Forms System.Windows.Forms.PictureBox
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.ToolStrip
System.Windows.Forms System.Windows.Forms.ToolStripButton
System.Windows.Forms System.Windows.Forms.Panel
System.Windows.Forms System.Windows.Forms.ToolStripSplitButton
System.Windows.Forms System.Windows.Forms.ToolStripMenuItem
System.Windows.Forms System.Windows.Forms.ToolStripSeparator
System.Windows.Forms System.Windows.Forms.ToolStripLabel
System.Windows.Forms System.Windows.Forms.ToolStripTextBox
mscorlib System.EventArgs
System.Windows.Forms System.Windows.Forms.ToolStripItemClickedEventArgs
System.Windows.Forms System.Windows.Forms.MouseEventArgs
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Image
System.Windows.Forms System.Windows.Forms.KeyEventArgs
System.Windows.Forms System.Windows.Forms.PaintEventArgs
System System.ComponentModel.ComponentResourceManager
mscorlib System.STAThreadAttribute
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.Button
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
mscorlib System.ValueType
System.Windows.Forms System.Windows.Forms.Keys
mscorlib System.Reflection.Assembly
mscorlib System.AppDomain
System System.Collections.Generic.Queue`1
mscorlib System.Nullable`1
System.Windows.Forms System.Windows.Forms.MenuStrip
System.Windows.Forms System.Windows.Forms.StatusStrip
System.Windows.Forms System.Windows.Forms.ToolStripStatusLabel
System.Windows.Forms System.Windows.Forms.ToolTip
System.Windows.Forms System.Windows.Forms.OpenFileDialog
System.Windows.Forms System.Windows.Forms.SaveFileDialog
mscorlib System.Collections.Generic.Dictionary`2
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Collections.Generic.List`1
mscorlib System.Random
mscorlib System.DateTime
System System.Diagnostics.Stopwatch
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
System System.ComponentModel.EditorBrowsableState
System System.ComponentModel.EditorBrowsableAttribute
mscorlib System.IO.File
mscorlib System.String
System.Windows.Forms System.Windows.Forms.MessageBox
mscorlib System.Array
mscorlib System.Int32
mscorlib System.Char
System.Windows.Forms System.Windows.Forms.Control
System.Windows.Forms System.Windows.Forms.MouseButtons
mscorlib System.Math
System.Drawing System.Drawing.SystemColors
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.BorderStyle
System.Drawing System.Drawing.Size
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.MouseEventHandler
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.ToolStripItem
mscorlib System.IDisposable
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
System.Drawing System.Drawing.Font
System.Windows.Forms System.Windows.Forms.ToolStripItemCollection
System.Windows.Forms System.Windows.Forms.ToolStripItemClickedEventHandler
System.Windows.Forms System.Windows.Forms.CheckState
System.Windows.Forms System.Windows.Forms.ToolStripItemDisplayStyle
System.Windows.Forms System.Windows.Forms.Padding
mscorlib System.EventHandler
System.Windows.Forms System.Windows.Forms.HorizontalAlignment
System.Windows.Forms System.Windows.Forms.KeyEventHandler
System.Windows.Forms System.Windows.Forms.ToolStripControlHost
System.Windows.Forms System.Windows.Forms.ToolStripDropDownItem
System.Windows.Forms System.Windows.Forms.DockStyle
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Windows.Forms System.Windows.Forms.ToolStripItemImageScaling
System.Windows.Forms System.Windows.Forms.TextImageRelation
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Drawing System.Drawing.Icon
System.Windows.Forms System.Windows.Forms.FormStartPosition
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.ImageLayout
System.Windows.Forms System.Windows.Forms.Cursors
System.Windows.Forms System.Windows.Forms.Cursor
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Windows.Forms System.Windows.Forms.FlatButtonAppearance
System.Windows.Forms System.Windows.Forms.FlatStyle
System.Windows.Forms System.Windows.Forms.FormBorderStyle
System.Windows.Forms System.Windows.Forms.RightToLeft
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.LateBinding
mscorlib System.Environment
mscorlib System.Environment/SpecialFolder
System.Windows.Forms System.Windows.Forms.FileDialog
System.Windows.Forms System.Windows.Forms.CommonDialog
System.Windows.Forms System.Windows.Forms.IWin32Window
System.Windows.Forms System.Windows.Forms.MdiLayout
System System.ComponentModel.Container
System.Windows.Forms System.Windows.Forms.ToolStripLayoutStyle
mscorlib System.NotImplementedException
mscorlib System.Double
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.RuntimeFieldHandle
mscorlib System.Console

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
#.(+:
#.(+:
v2.0.50727
#Strings
#GUID
#Blob
__StaticArrayInitTypeSize=160
Nullable`1
Queue`1
SortedSet`1
List`1
frame1
_frameSize1
window_size1
toolStripLabel1
label1
panel1
ToolStripMenuItem1
ToolStripMenuItem1
ToolStripMenuItem1
toolStrip1
toolStripSeparator1
MDIParent1
Int32
Dictionary`2
frame2
_frameSize2
window_size2
toolStripLabel2
label2
get_CoreModel2
toolStripMenuItem2
toolStripSeparator2
toolStripSeparator3
toolStripSeparator4
toolStripLabel5
toolStripSeparator5
toolStripLabel6
toolStripSeparator6
toolStripLabel7
toolStripSeparator7
toolStripSeparator8
<Module>
<PrivateImplementationDetails>
9F6E8424AEDC3EE4E136A800BC166ACE250876E8B6697F4AD1242A58761ED2AB
CDCDCDCD
SizeF
get_qEdvISNAwXUOvXQLqcgEHTGxehsQN
System.IO
cell_backUP
AXAXAXAX
get_X
get_Y
value__
get_Magenta
get_Aqua
FromArgb
mscorlib
InputStreamStub
System.Collections.Generic
Microsoft.VisualBasic
CalculateDonesAndTotals_Statistic
deShowStatistic
add_Load
LabirintForm_Load
SokobanEditor_Load
get_Red
get_Checked
set_Checked
toolStrip1_ItemClicked
add_ItemClicked
set_DoubleBuffered
valid
<Min>k__BackingField
<Max>k__BackingField
get_Hand
get_Millisecond
method
get_ButtonFace
Place
Replace
FlatButtonAppearance
get_FlatAppearance
get_KeyCode
set_AutoScaleMode
set_SizeMode
PictureBoxSizeMode
RbTree
ShitToUpperTree
ShiftToLowTree
set_Image
AddRange
set_AllowMerge
EndInvoke
BeginInvoke
IDisposable
set_Visible
Double
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
LevelFromFile
HowMuchLevelsInFile
OpenFile
Console
DockStyle
set_BorderStyle
set_FormBorderStyle
set_FlatStyle
FontStyle
set_LayoutStyle
ToolStripLayoutStyle
set_DisplayStyle
ToolStripItemDisplayStyle
set_Name
get_FileName
filename
Frame
DateTime
WriteLine
toolDone
toolNone
progressInLevel_done
HowMuchElementsOneType
ValueType
toolHere
CellToPicture
get_Culture
set_Culture
resourceCulture
ButtonBase
Close
Dispose
TryParse
Reverse
MulticastDelegate
DebuggerBrowsableState
EditorBrowsableState
set_CheckState
get_White
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
_queue
Dequeue
Enqueue
get_RoyalBlue
get_Value
CheckValue
get_HasValue
newValue
value
toolSave
toRemove
eluugEKZi.exe
set_Size
frameSize
set_ImageScalingSize
set_AutoSize
toolStripTextBoxMapSize
set_BorderSize
_targetSize
set_ClientSize
_currentSize
newLevel_size
add_Resize
LabirintForm_Resize
SokobanEditor_Resize
toolResize
get_Tag
set_Tag
Padding
LateBinding
set_ImageScaling
ToolStripItemImageScaling
ToString
toString
disposing
VersiveProject.Testing
System.Drawing
SaveFileDialog
OpenFileDialog
CommonDialog
ShowDialog
Stopwatch
BinaryMath
GetFolderPath
get_Width
changableNumberOFpicturesONwidth
numberOFpicturesONwidth
numberOfPBs_width
numberOfcells_width
GetLength
eluugEKZi
LayoutMdi
toolBack
AsyncCallback
callback
get_Black
toolStripLabel1_Click
label1_Click
add_Click
toolDone_Click
toolNone_Click
toolHere_Click
toolSave_Click
toolBack_Click
toolRestartLevel_Click
toolNextLevel_Click
toolPrevLevel_Click
toolWall_Click
toolResizeAdd1Col_Click
toolResizeDel1Col_Click
CascadeToolStripMenuItem_Click
PasteToolStripMenuItem_Click
TileVerticalToolStripMenuItem_Click
TileHorizontalToolStripMenuItem_Click
CloseAllToolStripMenuItem_Click
ToolBarToolStripMenuItem_Click
StatusBarToolStripMenuItem_Click
SaveAsToolStripMenuItem_Click
ArrangeIconsToolStripMenuItem_Click
CutToolStripMenuItem_Click
CopyToolStripMenuItem_Click
ExitToolsStripMenuItem_Click
toolUser_Click
toolResizeAdd5Cols_Click
toolResizeDel5Cols_Click
toolResizeAdd5Rows_Click
toolResizeDel5Rows_Click
buttonStart_Click
toolNext_Click
toolResizeAdd1Row_Click
toolResizeDel1Row_Click
toolBox_Click
pictureBox1_MouseDoubleClick
add_MouseDoubleClick
ShowCellAfterUserDecision_forDoubleClick
pictureBox1_MouseClick
add_MouseClick
set_CheckOnClick
toolStripButton1_ButtonClick
add_ButtonClick
toolResize_ButtonClick
set_Dock
get_ControlDark
numberOfPBs_width_global
numberOfPBs_height_global
get_Coral
progressInLevel_total
actual
ToolStripLabel
ToolStripStatusLabel
toolStripStatusLabel
System.ComponentModel
Panel
LoadLevel
IsGoodLevel
toolNumberOfTimeLevel
SaveLevel
ChangeSkeletonOfLevel
numberOfLevel
toolProgressInLevel
OpenLevel
InitLevel
toolCurrentLevel
currentLevel
toolRestartLevel
toolNextLevel
toolPrevLevel
ShowLevel
level
toolWall
SetUserDecisionCell
CharToCell
userdecision_cell
selectedcell
ContainerControl
ICheckableStream
RandomInputStream
inputStream
input_stream
Program
get_Item
set_Item
ToolStripDropDownItem
ToolStripItem
set_MdiWindowListItem
cascadeToolStripMenuItem
pasteToolStripMenuItem
saveToolStripMenuItem
searchToolStripMenuItem
tileVerticalToolStripMenuItem
tileHorizontalToolStripMenuItem
closeAllToolStripMenuItem
selectAllToolStripMenuItem
openToolStripMenuItem
redoToolStripMenuItem
undoToolStripMenuItem
printSetupToolStripMenuItem
toolBarToolStripMenuItem
statusBarToolStripMenuItem
saveAsToolStripMenuItem
arrangeIconsToolStripMenuItem
optionsToolStripMenuItem
contentsToolStripMenuItem
exitToolStripMenuItem
printToolStripMenuItem
cutToolStripMenuItem
aboutToolStripMenuItem
printPreviewToolStripMenuItem
newToolStripMenuItem
newWindowToolStripMenuItem
indexToolStripMenuItem
copyToolStripMenuItem
ToolStripMenuItem
ToolStripMenuItem
ToolStripMenuItem
ToolStripMenuItem
System
getRandom
WelcomeForm
get_ActiveForm
LabirintForm
ShowNewForm
resourceMan
get_Mean
_mean
get_Median
_median
MyStatsGen
get_MdiChildren
set_TextBoxTextAlign
get_Min
set_Min
AppDomain
get_CurrentDomain
set_Margin
width_min
height_min
set_Icon
ShowCellAfterUserDecision
Application
set_Location
user_location
set_TextImageRelation
System.Globalization
System.Reflection
ControlCollection
ToolStripItemCollection
set_StartPosition
FormStartPosition
get_ActiveCaption
NotImplementedException
get_Button
saveToolStripButton
openToolStripButton
helpToolStripButton
printToolStripButton
printPreviewToolStripButton
newToolStripButton
ToolStripSplitButton
add_KeyDown
toolStripTextBoxMapSize_KeyDown
LabirintForm_KeyDown
get_Brown
CultureInfo
UserStepOnLevelMap
Bitmap
BasicVerifyOfStep
ToolTip
toolTip
ToolStrip
toolStrip
StatusStrip
statusStrip
set_MainMenuStrip
menuStrip
get_Desktop
Clear
CellToChar
childFormNumber
ReadLevelHeader
SpecialFolder
sender
get_ActiveBorder
get_ResourceManager
ComponentResourceManager
MeanTracker
_meanTracker
MedianMaxTracker
_medianMaxTracker
ToolStripItemClickedEventHandler
MouseEventHandler
KeyEventHandler
System.CodeDom.Compiler
IContainer
set_IsMdiContainer
upper
toolUser
set_Filter
get_Silver
lower
curr_level_nr
lastInCurrent_level_nr
set_ForeColor
set_BackColor
set_UseVisualStyleBackColor
set_MouseDownBackColor
set_MouseOverBackColor
set_BorderColor
set_ImageTransparentColor
set_Cursor
ToolStripSeparator
StatisticsGenerator
_generator
.ctor
.cctor
SokobanEditor
prj_s
Statistics
System.Diagnostics
DeleteMethods
notification_endplaces
System.Runtime.InteropServices
Microsoft.VisualBasic.CompilerServices
System.Runtime.CompilerServices
System.Resources
VersiveProject.MDIParent1.resources
prj_s.WelcomeForm.resources
prj_s.LabirintForm.resources
Editor.SokobanEditor.resources
VersiveProject.Properties.Resources.resources
DebuggingModes
VersiveProject.Properties
EnableVisualStyles
ReadAllLines
WriteAllLines
LoadPictures
InitPictures
deShowTextures
getValues
_values
notification_boxes
ToolStripItemClickedEventArgs
MouseEventArgs
PaintEventArgs
KeyEventArgs
get_ElapsedTicks
get_Controls
get_Items
get_DropDownItems
System.Windows.Forms
Contains
set_AutoScaleDimensions
CalculateFactsForNotifications
MouseButtons
MessageBoxButtons
get_Chars
RuntimeHelpers
SystemColors
Cursors
GameProccess
gameproccess
toolFactOfSuccess
TestHarness
printProgress
levelMap_UNmovedObjects
ShowMovedAndUNmovedObjects
levelUser_movedObjects
checkResults
components
set_ShortcutKeys
Concat
Format
GetObject
object
VersiveProject
LateGet
target
set_RightToLeft
get_Height
changableNumberOFpicturesONheight
numberOFpicturesONheight
numberOfPBs_height
numberOfcells_height
get_Highlight
Split
GraphicsUnit
SetCompatibleTextRenderingDefault
IAsyncResult
DialogResult
CheckResult
result
HorizontalAlignment
Environment
InitializeComponent
set_MdiParent
panel2_Paint
Point
set_Font
get_Count
_count
buttonStart
start
ToolStripControlHost
SuspendLayout
set_BackgroundImageLayout
ResumeLayout
MdiLayout
PerformLayout
toolNext
hasNext
getNext
get_Text
set_Text
get_ActiveCaptionText
set_ToolTipText
fileMenu
helpMenu
toolsMenu
windowsMenu
editMenu
viewMenu
set_KeyPreview
get_Now
IWin32Window
get_Window
doubleMouseClick_x
step_x
get_Max
set_Max
width_max
height_max
set_TabIndex
MessageBox
PictureBox
set_MaximizeBox
toolBox
ToolStripTextBox
doubleMouseClick_y
step_y
InitializeArray
ToArray
ToCharArray
get_Assembly
set_InitialDirectory
op_Inequality
Empty
WrapNonExceptionThrows
VersiveProject
Copyright
2018
$e18d6f71-62a1-4f88-9c11-4beabf6d2467
1.0.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADM
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8Oc
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
tyw%9
m_,!8T
s+B/,{\
$Oi9{
.E)HH
Lech2(
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
tyw%9
m_,!8T
s+B/,{\
$Oi9{
.E)HH
Lech2(
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
Iu'[}gJ
{3T[2_
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
Iu'[}gJ
{3T[2_
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
XIDAT8O
o"OgE
)%<QEh|
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
XIDAT8O
o"OgE
)%<QEh|
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
WIDAT8O
2Rw[m
0Cwa&`Bt
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
/R=E(
aae-1
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
/R=E(
aae-1
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
*IDAT8O
Lc(eD
Y!QiQ
ZpT G
NpHvP
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
*IDAT8O
Lc(eD
Y!QiQ
ZpT G
NpHvP
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
/IDAT8O
]t[Sc8
bu/qx
-;d<n
lh:kF
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
/IDAT8O
]t[Sc8
bu/qx
-;d<n
lh:kF
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
$dX_wUFvC
><a`v
~FD\,
RcFJ.D
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHRM
IDAT8O
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADC
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
,T&&&&&
,K&+#
*BSJB
v2.0.50727
#Strings
#GUID
#Blob
CoreModel.dll
CoreModel
<Module>
Setup
mscorlib
Object
System
PoweredByAttribute
SmartAssembly.Attributes
Attribute
QSQWDWD
QSQSQSQS
System.Drawing
Bitmap
WDWDW
DeleteSetup
CSCSC
SCSCSC
.ctor
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
DebuggableAttribute
System.Diagnostics
DebuggingModes
AssemblyTitleAttribute
System.Reflection
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
Array
List`1
System.Collections.Generic
Image
get_Width
get_Size
get_Height
GetPixel
Color
FromArgb
op_Inequality
get_R
get_G
get_B
AddRange
IEnumerable`1
ToArray
String
Concat
Assembly
GetEntryAssembly
ResourceManager
System.Resources
GetObject
Thread
System.Threading
GetDomain
AppDomain
Microsoft.VisualBasic
Interaction
CallByName
CallType
Int32
Sleep
Environment
WrapNonExceptionThrows
CoreModel
Copyright
2020
$7813e2b4-ad0f-42b4-9c20-58765e008edd
1.0.0.0
#Powered by SmartAssembly 7.3.0.3296
_CorDllMain
mscoree.dll
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
lHHJi
mwdq`
#3})W
FTtlK
Pm.'9,
%=1}(%
vqpf*%^:
%z.A"o
6]J3Y(V
SC&8I
]=ZtN
(k(N:2^
xIcLD
XuM%r
|,_T-
HB}=Vu
MH0Rg
U!RMi\
+4X+D
JF;__diA
a=Qd
`{e!7O
?#Hx6]
?F3_8
wyArt
xIZ,2'
Tw!R+p8
2cfF0d
dlvJP1
wZ2M8
/+cKq"
t9o6:qL
5]lb1
sInHU
MZlDb
Yd6P#
=Fuwg
4gPlsl
ZYS}$
Mk#]b
}5<NJ
!|uR'
|lR*).
ZS&D*
I:#2.
h.H-U
%oNtsmL[L
o4.Ms
r\FZ0
joj3c0
u&DW<
[@7_[vf
bnAvUWd
ki,H*
OvEkqS
X_I`g
Y`ZGzp
]mN>R
E.#Z.
Ou=h$D
+6>T{
:`39Ea8
}0jeI
tf=cN
'~X>U
x7Q6:
G5;?N
OG;w<
*HXPg
QWi/HX
:haT\
jEB;O
h0_4\
IuD=+
6,Qn\
wTG,'P
K?:P=
9?_8
L)-bi
S,9u>
s}f|He
0*,Cs
]AV6S
zQsoL
Hr,{2
&:Jqbn
sdo0/
0F1Em
JxYGt
/z&zX
(25_by#
8:FU!
,+Y|k2
Qd$!g
t^U81/
D.)eh
:,Wn<
+uGBh
e!h|k
7gj:Q
UNU|s
"M>vY
,{DQzs
q;=Gh
424A"1C
Oz!#mW
|3|JD
?rat9
7&qk8
J;>|i
0ZsM9
k}SAC7
BJe-a
'Y\ZD
W!-zD
bw2s9
,HX[y
d[i>{
N^I~M
S;H$s
y0Pe*
4ezV<
T"i{W
h=y7K
]71Ja^
%hfWV
>$`y*
]g^m2W
J'y=1c
%OW;Qx
W_!pC
p<5I]
MV:Ii
>=mFc(H*
t*),/
T/Zv5
d!Rw(~
?4C>`
Bo"WU
hn<Gf
j-D*M
)t U
i!H4Oc
*!aku
?#Jf0
$xOGW
1n&CS
9.HxW
8V/oa"
Z1Ox`
AewDIE
I-HIw
0QJ0.
Q:/{W
/o454H
qy-{;4
}j)]Z
@uf)_
O-U>F:
:m&B"
)2{#3
k]?|T
g^QHS:
o-avw
\wBaY
dK^P{
9;0Ko
ODkB%
!,v1`
P2A:T
d+cN\d
Yu&2DI
x5Bm
V5[ew
e;q~.$*N
6D)JPh
tZ4A;
\r/PT
.!MIf0T
hTc:m
7vaYYAYQ6+
e&B^hz
*xiY2
q#aiO
A}I>kGF{G
^Q*,z
ooP\c
6gPw=T.
}{x0M
*/rA[
[};[K2
U?7rO
dZc1U
u$O}&O[6,.
0c{3J
KG^f\
z;^wB
F}{"f
[-**9
DY|S.'E
3}97)
B]'Vl
H>[o!$w%U
,1AEy3Fz;
*@jMu3>t
|3"Xp
hZIr1Ln
s;GJO
qivD(
%\i2I
,[FqXh
RZ>l n
54Qpc
6Y(TQ?
K&cm+
]O}$r
@~]1p
ktU\(W1'
&%@J3
NXfp#Q
F(HTpq
#\h;D
=/bUR
LZaEC
UC}n$F
B5X?N
:Q{`
Mz8Ws
H2|U(p
CX#7(
h-W2]
D3>IU
8~iuc
;jbe$!
~wQ0Wd
AgyPv
+FFQm2
xR*_r
w3 De1
s/+0;
Yvqt;
qL g^
G9t2W0
]8vCF
&#Zj2f
=]~L&,@
1YBln 9
mK8z2
JFv%Y
#<\|[
KOgRU
*v=Cl
qZ(FQ
+,wl`
Y]FqR&
W\*/s
.O[nz
qQ(XKY
%c1Lt
Bn=IA
l:BeJ)
#,x'7
7Es`&
v,a{z
Uw&nDK~4.
/3D)hR
:S~'|=O
dlzw
q$V=WP
yTsBO}
Iy)@J
|:B)|
xY|SV
*z83|s&
QA%Sf
<Cre-
Io7e$
ZvtBg\
V0a7,
j8:e#/
S`?&,^LHSuJ
=T^]Cb
br~T#y"
S{N?l
,#pC/
v,wwb
(p\I&
Ze0[#
m+sQ;
i4VUs
lH%'E
*i<Qm
vqCfZ?~9v
8DubQ
-g\mH
zpdX7
6?C8v
G0yut$
$fdG0#n
GBQ(5
l"dE6Y
8.U82~
1wC%Uuf\
\,?nY
PV&^m)=
aX?]O
p_Lz{
*7(Rf
t}>ll
JD1v"
e(*#lQ
R;Gaj
-ga9;
_nZ?D}
$G_'M
{0be9
-;%@J
MQ :S
Ms\}dLx<!
Zr?j3
S%)Hd
wRX^C
5~`:Z
[\mULd
;d-xq>t
cRUA?
p%pc2'V
|v2nE$
@fKv;J
1ejP
-9#~O)
1MC{l)i
xYl}W
E%%4dg
l6NA%
>Y^$h
'FfP4v%
(D^_q
YlHts]
c8lZA
`#so4
}8LRm
<\eLx
U[=Xf
gZc}"
f0uz:
&UYh"
b'nk+1
t8Gww7
C>$sqk
gSZo$
G.G.x
P21>-8T
.J6,EH0V
'a1x,y
TZln$A
q*^[[
aHnWR^4
`GP'|c
0o7_0
5XOjF
-8?z<
0k\CW0
x)}e.j{
c^5fb
|x9}+
i.*Ns
qlE_N\
|sIEOE
F()1]?
qP0a+
Q4Fv\&%
6cSPZgL
E2&\I]J
$Avq|
`nwug
;nqU,
E&D++
!U,)_H
d<,eI
Ki.6~
IS}%N[$
s%US{P
17i)3(
$t_)@*J
e'2)j
JF!&G
}uHP9
@=f#[
V&.}l`l
EMbV_
=[nP4l
QyULy"3
WsG['
)_G~~
%[P?p
i1gl$
:osRL
Pb"Zr
{`&Wv
X<'{>%
Lx1=S
Ew-;sb
v>5%)
6'P\x
26b2n
altVlr;
?F0as
-&}p:)J
$*y|$
:',Qo
PZLMb
yX0)S2?
lVt($'E
_<jN-
q\STo
0`D4]R
^Td3'Xv\
w.a`_
Ft3S>]
O8qt{
gap'-
\=MT3
rQI"9=
e,7\>
LbtwR
oSyW;
C~q|-W
!sMoq
dg2?2
OYp[H
*{Q4F
Lp1 HI
`}J3B|
=Y5z-G
Sd+2Z
ZJta{
rs]2G
%\{_ga
n;Mrz
.p8D>
KsH^R
35qHH&
/RJJf
ojNts%
S/ax\
0s&1~
O"ej
^X&^a
z6lRCn__Qd
m/OKcG
OUS(=Bk0
7g57z
%Y5Zt}'@
T=.~,#7P0)
7\zSAU
/GRZy
&;j++
QhkMF
gzH(Gr
qeJ"*
L`EK[:
$Dr 9
`Rntj
*Tj9i
5S9s0
8K?l$s
_aegG
dG?fW
V"Rf=
sr{/f
J%9_|
\OfRhkF
3n|_Aq
v3qf:G
weeS(
ES;czg
NegSm
4^ Mf
,g}S,
dB{|6zp
W0sh5
wG3L0a
+=kJX
dYuk)H
s7z33
v-9&;
Av=P>7
T*akg`#
"eIjT
:wfv/]>
y$22&
R&,1=O
'@Je=/b
K%9)~T
%T4:0"q
(2M8}
gZ7CQd
cy}9~
Sn3Hc
fa;]>
YWb\^
+%vWYj>J
ki1n.
VVB#v
N&1v0)
&v?}H
$<:TjZ
Mvj+f
dRx}P
]!I;OBs
Yis{a
H]C.V\
gF(s#-
tQd"o
dN4&R
KzQ8d
$#x%{
Ba3M~W)
"Bs#K
R3F'u
LZP$]
2^m%=
}Pru#
i(zY+
5qI<O
M]ei%
-cDF(
d'KS%k
(GLG/
v^0m|
4_/4 k
Vt#\i
25h/z=+
~Kq:o
4Wjz>
,'F6`
+#\3I>
ehkAz
+0{y9
jPT-&7x
\ML7}
M7\lF
Y/bYH
p{-g)H
yCq[T
[/7Beoa(
OXuw\2
N(^>.
:Lvm%s
8uN'@
tM5#J~
OG}dH
nQP#G
Kmy=.
lix"m
yQg"m
_2De
]gsl=ec&a
iv?^6~
s>]Zd
loVQ>
fq}8u.
W;?g~_w
8z}$\v
13+V0
sDv mG
^+Gd.5
oiO9F-
kSiu3
<[J,Q
F0rjKd
*3q~W
'4J^<&D
8z\`vL:
qOB2{
EdwSEyg
p&7.\C6<
XBN&H
oK6duAFI
LR0K?
tMG//
=aW|F
}tBp?
r,oPG
*@)EB
(cRN )y
X&sQS
>!3(2U!
zYi2G\
OR9Z*c
_;p:Y
p[UIn
:!?S>
%:0<(
cb 6i
_GMY!
F6Kdr=^
A{"e~
d.x2&
07Vhx3z
~e5AK
_`Hl,
_J?Qd
d$h<:@
MKKqO
R]Eya2U
dNnd"
&Vg*y
mBQcG
B`I8K
.w6Q5;
tcBH
?v83L
g<l<+
-;_=$
R6e7of
4 td=QBr
{s8rw
`&HF{o
cQ<V5
Ksc7\
[LLP[
Iu#H?
2(@BHr
Go"LF
PRk*'
<%\2[F
t"i}<e
{MpMp
D'|Fj2
R"5Is
/CW1m
|f-Kg
2hOc[k
:oj'X
,;Sil
`:`*=
;lz|
"xrWVUla
3+j3[
I0grn
gW:q&0T
Uky<.
0)q$J0a
H5MFi
FrT&#
[OQu'
gjYSN=j
r|KsH
g:k<c
n)/2:
w:*Lc
[0uM>
D`o)J
0Pw%k
,d}B5
>F0as
`SZ,=
b6Nv\V
$HIK|
BM<=*
syy1A0
=)%E=
sZkx}
`A[Vu
8%uM)l
x,9UN
NQdBH{
u~K;N;
ss,qV
^x'DS"
DQdd~
vUP>=
AwY7u!
WQ)dK
G!}2?
4F;7P
I3tEw^
lQd6d
tNd\^(
e`zWb
Ci3y%
%sQs
LU4>=
Fb8c5
CX1|.
4kF*L
)>=c/
`@Ag]
_$nr:
'gQd>
a''qY6
rQ\QI
Vm:Fx[W
Naf3,
y|SoY|S^)
h*u#O
w{v\lI_[
x_TYCz|\F
SP Y!R
\_Z_Bn
I5\~&\v(
-R1/+#5
LZ;70
Mq]Z'
pWF=w<
^dOpWKL
_S0y%
g[Yzm/
,%)i2w
0/.eV
.#hWO:
tbqYG
SX,>%
*%vunN
E/t?%J/
1k13>
nntW^
3yY3n
E*7-7
jykz^^d,
X_aA'
b4Tim
]"n}B
hZ0{L
is:N-D
$Gu&Z}|
sF 5^
`s+*$zt
2w|zW
J4l"D
p6=>L
9~G7K
(@j;{
qM17$
G>x0?:
<m$ak6
.]+aV
Q|&an
q~&N#
m>LC/s
gFdvQBG;
Jv&VKG
Y<\z'
n7*(,
!FzBue
h3hBW
I71G!
&qC2g
X3IZv
G^q-O{
JG4bbQ
GjGjr
Gd"N15
O9BJ^
yJlwjI
3<OH3
4Kz,}
-k6YJ
Lswi|SJr5
?zw)qa}q
#YM7N
NEGKR
z9g7(
0E<Nh
8TOz'ln
hv_r]
3hu0c
T1_4P
[(0dv
S^/@*
x&N('
r+q+0
DM)C#r
Zv<jf
Uos^&
]Q2gj
::GOK
fK~ ys:1
i,qqeX
L:Tud
Uj|_y
r%i23
eR&\%
mA!wntE
*Li5J
"w_{v
MN:hK
RIniN
??a]w
m$.\1$=
/YF)F/&
[S4h;m
6Rn<B{
|wLc>
U.VOFY
8nZGJ
CUv6uw
J&t!Kt
@|z I
Ns.1r
U[FnZG
qn!Ow
_r$r]
`8mF.'$
0=vU[
2YZu8
s(--mq
+.X'(
aM">#
ZV>xNt
nwDFq1
yQT^Hue[J
bm7o2
f9NwC
=#b_c
]/`#yxt
=#0w3
g"Nv3
?>]]Iuk
$W}7_
p!hHk
^C80y1
'uw:p
l%}U_j
rfG?f
oZRAYI
rf?vl
)G.u?
'g1^u
'pi5j)~
p[KvU
y7Nl<
0$f>K
2bJk.&
,>WQ?
]}2i>i1#ZY
5|7[B
]C`@)?
N,6*D
[gQ]jAI
}HoTA
&3"`#
T*SF3u
Dq^5Zk
q w9Nc
m|m*`
;Efh9
i2c5
W~]^K
<(w`E
f\57`=
\0-5+
f`K6f=
(@jtm>1?
n9;*K
ixd+3
#z-!9K
T?B~o
;]0aO
3=>@0aW6
+RM"8T*K
&p)o5
`cynY
zmtJ7
a:*1BbP
eth'+I
"%/VS
Z-_ #
q/d>M
>a}|$j'
em$9OV
djv#i
XgPnp
?Vav`
%#\zR&
v1+*a
^W61r
N.sX<o
7D2=z+
/8mO]
~AUV2
\4.IZv
&I*JH
,p#Fs6
hA2'%}
os&r_=U
vP2>-
,IOUaR
A2zMN
dLixYAa
li}'vV-
V^h{R
|]PFf
lvhn`
J:qE;bw-#
Gws/a
YUG83
oJA+{7
J}=:U%
Nxp[#
5YLka
OE)VJ
r4]L1j->
70J|)
Va/Hf/
O).<@
[MWj]#II5
-"zN!
@eRT]hyl
>/jYv
Z*Z$r
yFlWj
/3|q-
a#q]bB?
}_Ql=
xZMD?,
^cKpi
d.tx-
0B_C*@
-x%qwH}
o"[Tq
!1M-q[
8t)k/
l'H&Y
;a[my
~o:~<&
[hEyq
`(SR=:3d
lFTf0
aDLK[^
rAQ})+
}L,Fj+
n<@ec
IY+a`
:,^5g~q+
:ji1i
}zh&l
]RE1[
,KF1d~Vw
}o_"%
6Dr<w
OxPq)
>l36q
J,[g`
LBS7n
#p}/V
6jrO9
#@J[(
:<mbp{
eI=|Z
s6ZL:
rqf$?
N `|4c*
zWJF;
*ND;I
F*-Osc
fYv#Dq
`&)[00
)ltaG
IiMgjGf
eL`Ka
ezD>'
a}X46
I'5~8
`'_]v
kPo,
^wnP/SRG
-t$8<_
a#[0E
I%*v2*V
G}$2~>
YJFVg
HXl"~
q[2ew
#]{yc=P
ZNCK)
QcUi3i8
'GF?l
<B|IeJ
A2kmQ
[L')l
ZbLL+uQ
Kj{01
wr~.fs
/G(_#
NBtO1k
Y{yw
M?*)+
}Z\8
B)?G7E
1q0.`<
h3K;_
d9kf*
)oFO-
3,x HfD
hG1YV
Y|S^5
O"1+]Q^
cCC[2
|2/<aLq<
"9<y/
S[xn}
Kv|{q
ni<hH
): @NJ
%n)%-n
/*?;3
8p[61
5y"qA
{',[Z
dJN'Q
9AaI,e*
WK)gf
yVbGP
-~qA^
p2vVmq1Oa
tR=&2&
FZ1-~
=vL(H
*6NVB
,c.E%
V2#0YB
H[1V(
$oToj
?.u\=
AW~JA
\{=f=
-PNPeB\
R=Pvq
?=V3p
$^$e{
Wj1tIF
KX9-f
f*'WV
h'Z?m
e-\QB
dj&Qk
Zz&l"
3A2Cp9
=>=G2
Vec|MZb
H%}ec
G3ldW!
h#DB&
_rgve
0jp8Y
ti}j%
hHFrF8
2~h%Auc
_|S{'
~mD7~(
W`BX;
qdY|dr
9Oo3wS
Ns4h6
c2z#+
?v<mL
zt76FMK
rO(aO
z;0Vs+
1L,Se
@}R^I
;b$36|
6N(F{
FvU.G
(tj~`
%|i53
^Z/1/
+=$*$x
%Bl=%
@B;;&oW
9c~[%pmH0
|--$~
mqL6`
}VcIz?t
xN>JW
%%H"R
eY3FV
%rL<&
vGLv"X
Y3|Am{^
L/_r
U(a]\
*aO2>le
X+F85Q=
{!&YM
zq$#^
6:c{#L
PJNLN
.H&M_v&<D
2q=]Q
va|0C
Adp7A
|?AB}]
-xAxO
SgBjJ
5wfyR
Fk>}K
1ePsw
+A2^~]
k^57&MNBv
GiZvCm
hQ 5v
fveHWW
GuL5U
tze60
6CeD)
Ao(ZX
MYvg1
BZ?Sz~]@
v}Mlw
kS4$B
avkzt;
oL;FH
;Cpd7|>
gH[u\+&P
iqb;'
b{>Izq\(
1|\<9R'
Bq[Wl
FqL"U
5I#Eg
&/ :'
]z^@
b\RwP2
cyrSz
%$6E0K
ki|S]4
heG09
kq)l!+o-c
W]8Wp
]+Hf3
U+Z0Z
,{Csc}
<7Y"7
6 GTwaT
pe{~6
W60)S
HWuVh
[Gi]{
|GdE5
'Mg:9
,QiO{y
`iR$u
<\|_+>
J&Jv&
SWv4
!y0j~I
.D\Pk<
ym%Nw
X&aS"@
]Zo1]
`=TMGc<l
|gZ=:
Dw"YK
"g;pyY0k=
3JE+h)Eg]
MWgFj
&!W"U
~%8&]
?.R"yE
NT.;O
rq>a)k
l4e-\m
*agA2B
)~)@N/
Jk:S7&
;''3GY
#z0f+
e$sQg
u(v=G
#T_Yv
o*7FK
sG:tI
_4iLd
`L|&K
&SpW*
U-9!K
s:_"6
f,'*l
w&gMK
n<=O*0Fr
1}>5k
$7WCYWW
.Zi$IAJ
uZ6',
&<\0i={Wl
lCTwi
O#)mgb
QoYFY
(3pmG
MeOD%
;F0a;
+OG2T
a<i8!>
$[diFg
a7MGr
5=WV
/@*n\<=
i?R9]
5b AK
Icm"7
?dQbfJ
J48SW
n%E\,
f=Mi\
c#->|
L2*W3mp&
*O\"?
ysw|{
L<LMb0
/P&*(
8["@*
mT'Y+
qTthCf
wQ'UH
3W>J0
El-uG>
eVf 7
@j'Xc
%Yah>
v&//)
BvRTU
^Z*z?
]sZJ&
7P}aN
dxng,
kJjpy-M[N&5
SfXe!FkJ
qH6 J
G,=R&
_2v[w\
G+bYm
I-U'j
Wh [~&
jZL{BX
tzNPt8
M/'q:
KqJ$:
$uF<f
,egE(
IhCTr
LCfGJr
#f5KyR
z+q
s&?L0
^0aWwf
`gBZ6
vdedW^
?KW6E
h!1LE
/kPG]0a
){x,INBY
ATks6tpAq
uYL}=
L8n<S
o#fP;|l2h)
mQPhC
dx'.u
'8?yC
D3jxO
~.$5e&6
(w5bml3lTB
?U*sQ
d~oj"
h2cP(
.N6>e
0]0aY|
eZ+G*
`+sQS#P
3S"MK
Zuf;)
IAztQ-
P,@j|
2&<HY
u!|sk
L$#&1qB+r
(:}eO
#v*it?cLx
Z[|gM
!z3X4
3I4i9_b
.'$},
Ry)oP
1hD=g
d.xnAWpSz
Q?MC9
OJqkJj
**=PT\
,=iMH
lN81:
U1UgJ
"LW|N~
(:D)chp
Y!BVd
|vtI'
+cCrO
HjoH3UCa
\wI$"
}:=3c~
b7^\:J
M6.&v
LHMg$3
_nOr];
C+i2_
s-7b.[p3
S?nY-
<bon`k
Y5m-q
R.~%r
Vk^,,
`.HFI
1BIm'
N[%A2>
OCK|tA+{
6JH_4
J;N_R
NU>c~
bR8|j"
Wn|.g
tN]*a
;^*%4
CAr17
[[~-YCZ
[90}'+
BIyXl'
=rTv'
Md?<$c1
x6Fw!
jzdX3
&HNS?h
>W'S#
sgSTg_
A()MA2
,.j}b
y1Wq3
l,{he
HPISe
6*dgP
,c.9C
lv/v$
wS,]P
p%Mfx
rn>\w
{]o"@*b
;I.z,i
c>1ri
3"v3%f
LkI+n
[ @2M
x{5T|$=
'K(ay
d0F6#
UWOZ<
=<*$9
az<[|
32q*&[
/wqTo
<w*g?
o59D:
)Q2DO1
NyU6;ZN%[
*Aii9
\>M>}
/o8Q7!
.DyN6
c<F+>2*p
#HfHX<
RC~b5IUE
sB:G#
q')YU
K=hq&
2km47S
z0^"@
I7$hu&.
$%"^i
ZiDAr
Yvw1u
7]?`J
`j&o!H
vO^P\
R.xq+]
r\8!i<Q
}O2cu
v^>WU
{>&<
N,(-!Ar
|BsM;b
gERA+
Ny&SR9
2<?<e
GoM)z
\oN]F
C):RN
)8f^a
s,Xpb
Wll}X
@.QM8
!?i(Y~/q
tSBjD
tcD3s
vp)ZJ
|"bg&mn
bS:|R
@:M|GN
G2%\k
]nP\g
^q}IY
x9Dv'
zA2WZ
)DP]gj{
gEk..]J
iT-[z>
["}cCH
AIo,9
(tMK9
:Sup1
TgQ/>
I,8aI
oO:0#
5e[I.
&@z'\
$9A29
<l1=b
H)OEw
)}2Q^^
j.<>I
($Izx*
\Eiy-
.[0%}8
tUp.{zK
=`>y1
+',5sx
p2r,z
I|m>c
x6uS$
QX,TA
E2,[2
(-m+4
ECbz>
pmA24
LZkEB
_+}x8e<
;wG6+
gpjw/
sQd6h
TwxBcb
vkHz
?f^l6
\5NmWr
_|SAm
/F]w 2
pgttg
0'"G;
wp~}g&
MftD5_
aLTP%
>W$.t
4(5'y^W
m5h?M
YlB5/R
,1gg3g
i?^IO
i0[E[
p4FO#8
V#1LMB
no-Y%
hd}n2
R&5[1
'ZGNR>
PMlKh
]bx<o
Xv cd
.,Q#[
zf'1x9
j"mI6
pLiCoq
lO`su
@Sy.>
_J{2y
%G,sQ
13jmx
<:RFll
]3X>[
:gb:6
d4c2U
Akx0i
%@jcN
}&_6ua
p8$5(
0Wjzn
<<Nh_)
y}Y~[
J~QU|
0)HUp$
HYN$Kz
|,mNj
oxLjE
q;Cri-
e;1Q)
TBYVF
1,j#7
6Qg2D
`IDAT'
?rnG%
J:'\]2
MeXV.d
L8zg>^K
!751fK
,pu"jV
*|Fve
c%]fP&N;
jf&5H
KB(n&
]"Y @*
w3P^o
lb'h1&
u#C6^
m1}z=`k
WoPp5
HswlBdy
|q)z7E
qvU--
T6vuC
.KgI|
E1#vt
FoJ:W
'<y<F
&NN{pie
Q*yx\
TwO v
-puj-
`7-"M
%2;Xb0u
6eUde=
iOXAo
'.yE9
*@*J*
t$Mk-
=y]>4
Cm3;z
{0}=Nb
rwXr9
\-dHa0
GaX$s
5&Wpj!
i?$xq
>-)\\Dw
4ye+xWj
EQAO({v
8Cxu>ZE
.q(vc
_|Sb:2yGH
vO](]
lLtcW
[vc7E
BSf33
CdI5,FE
.GB+%4
pqQ-?/
q~]SF2
pUg$5*
k,@-B
Mb{rk
)H5``l
YTj,Fq
o;s;mg]
],UYz;
@H}3)
5cy(Y
6'iU3
DNE;\n
`Rz(+G
)a#=)
i{~pLe
gFD>[7w
o-0yq
V|xi9
7(N)'
3.1D4
z^inb
NG\[t
<k~Wa
IwlPWzI
V6Nbe
.EiY&
P_GLb
+KQ^\.d
LGI*x
"6nh !
M|d8}
$+f2Yi
s<9ZS.
$\>$sY'
g[I6G;N
%KFQ
wHblD
Y;oPs
xnd,a
vIdyndqH_B
4]|l5[
DC6%P
<URb\
o:+KF
k263KQ
2leO6
TBM}5s
F[1^0
n-%Q0)s
p~g{!
pB6g*
1&|^=
af^NV
P~O0Y?%
fAvo5z
6&T}<
_\}^K
hSeFHK0
"wv_Z{~
'I/nQ3e-O{
M7c4>kR2d
[9yP0
R0#YF`
|:aCQ
o|Sq1
.)!_f#
wH6.
LHH!a
nsqY7&
J?":;
kYPg'
rt8;p
s0c^6
6=JZm
Z3oj#BI
38[^(
Cx[wA>
$3d#\6
1!$GJs
!q-+*
lI/fgO`~
jGcP\
1[*Bx
P8d'}"Z
XhiBk
D+7_bmg
wb];O
*7MA;
5"NRD
oR~ZC
y,w>@1
fq2DJ
wSx7=
3S4Y5
mo?r{62
'z0&Rc
+o2-2{c
8'bQ:_
l 3WW
EN'@:
UExE=fK
w{$o7
we^c&
CV0oS
E3;.l
q{T4-
l#%5Mfz~
Et]6!o
zw1#"rP
_k'zU
nw'fO
?GPZ?
8h4?{
OUi<8
~W5in0
GSR:/
(')p.
JWnuI
jh(Z>
%yL-W
r[/#KQ
*=:xs
\>gzR
H42BC)
P%t]Va
PSVB_+
IOGWF
V/DoL%
Z1\0)Um
JJo_'
%mudL*
6LB3{?]=c
&D\Sb
B}U9q
d*[f0
0gY+<
DgMDAm,
TRc=0m"
th7FZw
@iM-Uu)
$s1$k2
EHXSZ
U6i(a
#*oQ>Fv
te.j~
/'>bTY
5kUuh
%k4#A
7E..
t3/@b1
oKjn=
?vI"X
8j9fX`
uCm/c
-"{? 6
Nbb$?d
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
levels.txt
Segoe UI
toolStrip1
toolWall
toolBox
toolHere
toolDone
toolNone
toolUser
toolStripSeparator5
toolStripTextBoxMapSize
toolResize
(Enter)/
ToolStripMenuItem
ToolStripMenuItem
toolStripSeparator3
toolStripMenuItem2
ToolStripMenuItem1
toolStripSeparator1
ToolStripMenuItem
ToolStripMenuItem1
toolStripSeparator2
ToolStripMenuItem
ToolStripMenuItem1
toolStripSeparator4
toolSave
toolStripSeparator6
toolBack
toolNext
toolStripSeparator7
toolStripLabel1
toolStripSeparator8
panel1
notification_boxes
notification_endplaces
$this.Icon
SokobanEditor
SuperSokoban
Microsoft Sans Serif
label1
v.0.8.1
Adobe Heiti Std R
buttonStart
Start
TatianaC
label2
WelcomeForm
SuperSokoban
toolPrevLevel
toolStripButton1
toolNextLevel
toolStripButton2
toolCurrentLevel
toolStripLabel2
toolProgressInLevel
toolStripLabel7
toolNumberOfTimeLevel
toolRestartLevel
toolStripButton3
(Esc)
toolStripLabel5
toolStripLabel6
toolFactOfSuccess
LabirintForm
qEdvISNAwXUOvXQLqcgEHTGxehsQN
epy TteG
CoreModel.Setup
doht eMteG
Delet eSetup
eko vnI
VersiveProject
Window
Text Files (*.txt)|*.txt|All Files (*.*)|*.*
menuStrip
MenuStrip
fileMenu
&File
newToolStripMenuItem.Image
newToolStripMenuItem
openToolStripMenuItem.Image
openToolStripMenuItem
&Open
saveToolStripMenuItem.Image
saveToolStripMenuItem
&Save
saveAsToolStripMenuItem
Save &As
printToolStripMenuItem.Image
printToolStripMenuItem
&Print
printPreviewToolStripMenuItem.Image
printPreviewToolStripMenuItem
Print Pre&view
printSetupToolStripMenuItem
Print Setup
exitToolStripMenuItem
E&xit
editMenu
&Edit
undoToolStripMenuItem.Image
undoToolStripMenuItem
&Undo
redoToolStripMenuItem.Image
redoToolStripMenuItem
&Redo
cutToolStripMenuItem.Image
cutToolStripMenuItem
copyToolStripMenuItem.Image
copyToolStripMenuItem
&Copy
pasteToolStripMenuItem.Image
pasteToolStripMenuItem
&Paste
selectAllToolStripMenuItem
Select &All
viewMenu
&View
toolBarToolStripMenuItem
&Toolbar
statusBarToolStripMenuItem
&Status Bar
toolsMenu
&Tools
optionsToolStripMenuItem
&Options
windowsMenu
&Windows
newWindowToolStripMenuItem
&New Window
cascadeToolStripMenuItem
&Cascade
tileVerticalToolStripMenuItem
Tile &Vertical
tileHorizontalToolStripMenuItem
Tile &Horizontal
closeAllToolStripMenuItem
C&lose All
arrangeIconsToolStripMenuItem
&Arrange Icons
helpMenu
&Help
contentsToolStripMenuItem
&Contents
indexToolStripMenuItem.Image
indexToolStripMenuItem
&Index
searchToolStripMenuItem.Image
searchToolStripMenuItem
&Search
aboutToolStripMenuItem
&About ... ...
toolStrip
ToolStrip
newToolStripButton.Image
newToolStripButton
openToolStripButton.Image
openToolStripButton
saveToolStripButton.Image
saveToolStripButton
printToolStripButton.Image
printToolStripButton
Print
printPreviewToolStripButton.Image
printPreviewToolStripButton
Print Preview
helpToolStripButton.Image
helpToolStripButton
statusStrip
StatusStrip
toolStripStatusLabel
Status
MDIParent1
Progress: {0} elements processed
From {0} to {1} {2} should be {3} but is {4}
median
VersiveProject.Properties.Resources
CoreModel2
$this.Icon
$this.Icon
copyToolStripMenuItem.Image
cutToolStripMenuItem.Image
helpToolStripButton.Image
indexToolStripMenuItem.Image
newToolStripButton.Image
newToolStripMenuItem.Image
openToolStripButton.Image
openToolStripMenuItem.Image
pasteToolStripMenuItem.Image
printPreviewToolStripButton.Image
printPreviewToolStripMenuItem.Image
printToolStripButton.Image
printToolStripMenuItem.Image
redoToolStripMenuItem.Image
saveToolStripButton.Image
saveToolStripMenuItem.Image
searchToolStripMenuItem.Image
undoToolStripMenuItem.Image
CoreModel2
qEdvISNAwXUOvXQLqcgEHTGxehsQN
j.#s.+
.Cs.K
.Properties.Resources
EntryPoint
Invoke
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
CoreModel
FileVersion
1.0.0.0
InternalName
CoreModel.dll
LegalCopyright
Copyright
2020
LegalTrademarks
OriginalFilename
CoreModel.dll
ProductName
CoreModel
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
$this.Icon
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
VersiveProject
FileVersion
1.0.0.0
InternalName
eluugEKZi.exe
LegalCopyright
Copyright
2018
LegalTrademarks
OriginalFilename
eluugEKZi.exe
ProductName
VersiveProject
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Clean MicroWorld-eScan Clean
FireEye Generic.mg.5ee539aad0490934 CAT-QuickHeal Clean ALYac Clean
Cylance Unsafe Zillya Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason malicious.6436ff Arcabit Clean
Invincea heuristic BitDefenderTheta Clean Cyren Clean
Symantec Clean ESET-NOD32 Clean Zoner Clean
TrendMicro-HouseCall Clean TotalDefense Clean Avast Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto generic.ml AegisLab Clean
Tencent Clean Ad-Aware Clean TACHYON Clean
Sophos Clean Comodo Clean F-Secure Clean
Baidu Clean VIPRE Clean TrendMicro Clean
McAfee-GW-Edition BehavesLike.Win32.Generic.gc Trapmine suspicious.low.ml.score CMC Clean
Emsisoft Clean Ikarus Win32.Outbreak F-Prot Clean
Jiangmin Clean eGambit Unsafe.AI_Score_99% Avira Clean
Fortinet Clean Antiy-AVL Clean Kingsoft Clean
Endgame malicious (high confidence) Microsoft Trojan:Win32/Sonbokli.A!cl ViRobot Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean Cynet Clean
AhnLab-V3 Clean Acronis Clean McAfee Clean
MAX Clean VBA32 Clean Malwarebytes Clean
APEX Malicious Rising Clean Yandex Clean
SentinelOne Clean MaxSecure Trojan.Malware.300983.susgen GData Clean
Webroot Clean AVG Clean Panda Clean
CrowdStrike win/malicious_confidence_90% (W) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.4 62350 1.1.1.1 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name svchost.exe
PID 1920
Dump Size 20992 bytes
Module Path C:\Windows\System32\svchost.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:19:28
MD5 af78a311a0d758744a612a934c48c996
SHA1 d0fbe5cdf10aca6a862c74a3d9e576474de1d090
SHA256 ac8c15a8293a7bf81d9db2e031c291c50673fbf04dd56069eccc07c1d492b6c6
CRC32 AF3E3F64
Ssdeep 384:Ydnfo6z/o4+KzP7Numa2rVYYj0q0/W+lFUOLg2JDaW9C5bW9odW:GQMpDTFGYEe+lFbDaw
Dump Filename ac8c15a8293a7bf81d9db2e031c291c50673fbf04dd56069eccc07c1d492b6c6
Download Download Zip
Process Name svchost.exe
PID 584
Dump Size 20992 bytes
Module Path C:\Windows\System32\svchost.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:19:28
MD5 ff47b0930d6a7c1678f3d67f10d32db0
SHA1 442347496a3cea53a51a03d41cfb801f50d9b001
SHA256 1b9cf6b738218962b29c68cce671f5bdcd631d6f4a01094326ca42da9098996b
CRC32 F283FD5D
Ssdeep 384:Ydnfo6z/o4+KzP7Numa2rVYYj0q0/W+lFUOLg2JIaW9C5bW9odW:GQMpDTFGYEe+lFbIaw
Dump Filename 1b9cf6b738218962b29c68cce671f5bdcd631d6f4a01094326ca42da9098996b
Download Download Zip
Process Name netsh.exe
PID 3608
Dump Size 96256 bytes
Module Path C:\Windows\System32\netsh.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:54:37
MD5 784236c7077eae148270fc5c908ab4dc
SHA1 185b415dc3e381c94da6858febbfd082414969e4
SHA256 1cab6d92f234bd5d2f186d4ec7ff096b72a21cf177f129299953031654727bd7
CRC32 14CAFF30
Ssdeep 768:HdoUSosKatQa6L04h5E94nqfLjs9qpEsWqBM1wBz6FqQrD:9oUSoZatFyh5EQqfLjs96EspW1ierD
Dump Filename 1cab6d92f234bd5d2f186d4ec7ff096b72a21cf177f129299953031654727bd7
Download Download Zip
Defense Evasion Credential Access Collection Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 5.145999999999999 seconds )

    • 3.831 BehaviorAnalysis
    • 0.486 Static
    • 0.248 CAPE
    • 0.233 VirusTotal
    • 0.187 static_dotnet
    • 0.039 TargetInfo
    • 0.024 Deduplicate
    • 0.024 ProcDump
    • 0.019 NetworkAnalysis
    • 0.018 AnalysisInfo
    • 0.014 Strings
    • 0.012 Dropped
    • 0.005 Debug
    • 0.005 peid
    • 0.001 Suricata

    Signatures ( 2.804999999999995 seconds )

    • 0.469 antiav_detectreg
    • 0.178 infostealer_ftp
    • 0.157 territorial_disputes_sigs
    • 0.102 mimics_filetime
    • 0.102 infostealer_im
    • 0.097 antianalysis_detectreg
    • 0.088 stealth_timeout
    • 0.081 decoy_document
    • 0.075 api_spamming
    • 0.07 antivm_generic_disk
    • 0.066 Doppelganging
    • 0.063 masquerade_process_name
    • 0.061 NewtWire Behavior
    • 0.058 antiav_detectfile
    • 0.053 antivm_vbox_keys
    • 0.047 virus
    • 0.044 reads_self
    • 0.044 stealth_file
    • 0.038 bootkit
    • 0.037 infostealer_bitcoin
    • 0.037 infostealer_mail
    • 0.035 antivm_vmware_keys
    • 0.032 injection_createremotethread
    • 0.03 antianalysis_detectfile
    • 0.028 InjectionCreateRemoteThread
    • 0.026 antivm_parallels_keys
    • 0.025 hancitor_behavior
    • 0.025 antivm_xen_keys
    • 0.023 antivm_vbox_files
    • 0.02 InjectionInterProcess
    • 0.018 injection_runpe
    • 0.018 antivm_generic_diskreg
    • 0.017 InjectionProcessHollowing
    • 0.017 antivm_vpc_keys
    • 0.016 antivm_generic_scsi
    • 0.016 geodo_banking_trojan
    • 0.016 ransomware_files
    • 0.014 InjectionSetWindowLong
    • 0.014 PlugX
    • 0.014 Vidar Behavior
    • 0.014 predatorthethief_files
    • 0.014 qulab_files
    • 0.013 neshta_files
    • 0.011 antidebug_guardpages
    • 0.011 antiemu_wine_func
    • 0.011 infostealer_browser
    • 0.01 dynamic_function_loading
    • 0.01 exploit_heapspray
    • 0.009 hawkeye_behavior
    • 0.009 kovter_behavior
    • 0.009 antidbg_devices
    • 0.009 antivm_hyperv_keys
    • 0.009 ransomware_extensions
    • 0.008 betabot_behavior
    • 0.008 injection_explorer
    • 0.008 kibex_behavior
    • 0.008 malicious_dynamic_function_loading
    • 0.008 stack_pivot
    • 0.008 antivm_xen_keys
    • 0.008 antivm_vmware_files
    • 0.008 bypass_firewall
    • 0.007 infostealer_browser_password
    • 0.007 network_tor
    • 0.007 blackrat_registry_keys
    • 0.007 recon_programs
    • 0.006 TransactedHollowing
    • 0.006 antivm_generic_services
    • 0.006 h1n1_behavior
    • 0.006 persistence_autorun
    • 0.006 rat_luminosity
    • 0.006 OrcusRAT Behavior
    • 0.006 shifu_behavior
    • 0.005 exec_crash
    • 0.005 stack_pivot_file_created
    • 0.005 antivm_generic_bios
    • 0.005 antivm_generic_system
    • 0.005 antivm_vbox_devices
    • 0.005 ketrican_regkeys
    • 0.005 darkcomet_regkeys
    • 0.005 limerat_regkeys
    • 0.005 recon_fingerprint
    • 0.004 antiav_avast_libs
    • 0.004 antidbg_windows
    • 0.004 antisandbox_sleep
    • 0.004 antivm_vbox_libs
    • 0.004 exploit_getbasekerneladdress
    • 0.004 kazybot_behavior
    • 0.004 browser_security
    • 0.004 codelux_behavior
    • 0.004 rat_pcclient
    • 0.003 uac_bypass_eventvwr
    • 0.003 exploit_gethaldispatchtable
    • 0.003 vawtrak_behavior
    • 0.003 disables_browser_warn
    • 0.003 obliquerat_files
    • 0.003 remcos_regkeys
    • 0.003 sniffer_winpcap
    • 0.002 antiav_bitdefender_libs
    • 0.002 antisandbox_sunbelt_libs
    • 0.002 encrypted_ioc
    • 0.002 antisandbox_threattrack_files
    • 0.002 antivm_vpc_files
    • 0.002 banker_cridex
    • 0.002 modify_proxy
    • 0.002 network_tor_service
    • 0.002 medusalocker_regkeys
    • 0.002 dcrat_files
    • 0.002 warzonerat_files
    • 0.002 warzonerat_regkeys
    • 0.002 remcos_files
    • 0.002 targeted_flame
    • 0.001 Unpacker
    • 0.001 antiav_bullgaurd_libs
    • 0.001 antiav_emsisoft_libs
    • 0.001 antiav_qurb_libs
    • 0.001 antiav_apioverride_libs
    • 0.001 antiav_nthookengine_libs
    • 0.001 antisandbox_sboxie_libs
    • 0.001 antivm_vmware_libs
    • 0.001 ipc_namedpipe
    • 0.001 office_flash_load
    • 0.001 persistence_autorun_tasks
    • 0.001 rat_nanocore
    • 0.001 tinba_behavior
    • 0.001 antisandbox_cuckoo_files
    • 0.001 antisandbox_fortinet_files
    • 0.001 antisandbox_joe_anubis_files
    • 0.001 antisandbox_sunbelt_files
    • 0.001 antivm_generic_cpu
    • 0.001 bitcoin_opencl
    • 0.001 browser_addon
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 arkei_files
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 packer_armadillo_regkey
    • 0.001 persistence_shim_database
    • 0.001 nemty_regkeys
    • 0.001 revil_mutexes
    • 0.001 spreading_autoruninf
    • 0.001 stealth_hiddenreg

    Reporting ( 14.728 seconds )

    • 14.686 BinGraph
    • 0.042 MITRE_TTPS