Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-22 14:41:59 2020-06-22 14:48:22 383 seconds Show Options Show Log
route = tor
2020-05-13 09:08:16,571 [root] INFO: Date set to: 20200622T11:39:59, timeout set to: 200
2020-06-22 11:39:59,046 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-22 11:39:59,046 [root] DEBUG: Storing results at: C:\UbkyhgifY
2020-06-22 11:39:59,046 [root] DEBUG: Pipe server name: \\.\PIPE\hbOLPvplf
2020-06-22 11:39:59,046 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-22 11:39:59,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-22 11:39:59,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-22 11:39:59,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-22 11:39:59,078 [root] DEBUG: Imported analysis package "exe".
2020-06-22 11:39:59,078 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-22 11:39:59,078 [root] DEBUG: Initialized analysis package "exe".
2020-06-22 11:39:59,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-22 11:39:59,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-22 11:39:59,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-22 11:39:59,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-22 11:39:59,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-22 11:39:59,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-22 11:39:59,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-22 11:39:59,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-22 11:39:59,390 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-22 11:39:59,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-22 11:39:59,390 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-22 11:39:59,406 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-22 11:39:59,406 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-22 11:39:59,406 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-22 11:39:59,406 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-22 11:39:59,406 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-22 11:39:59,406 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-22 11:39:59,406 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-22 11:39:59,406 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-22 11:39:59,421 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-22 11:39:59,421 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-22 11:40:04,000 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-22 11:40:04,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-22 11:40:04,343 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-22 11:40:04,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-22 11:40:04,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-22 11:40:04,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-22 11:40:04,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-22 11:40:04,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-22 11:40:04,468 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-22 11:40:04,468 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-22 11:40:04,468 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-22 11:40:04,484 [root] DEBUG: Started auxiliary module Browser
2020-06-22 11:40:04,484 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-22 11:40:04,484 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-22 11:40:04,484 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-22 11:40:04,484 [root] DEBUG: Started auxiliary module Curtain
2020-06-22 11:40:04,484 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-22 11:40:04,484 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-22 11:40:04,484 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-22 11:40:04,484 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-22 11:40:07,093 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-22 11:40:07,093 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-22 11:40:07,093 [root] DEBUG: Started auxiliary module DigiSig
2020-06-22 11:40:07,093 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-22 11:40:07,109 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-22 11:40:07,109 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-22 11:40:07,125 [root] DEBUG: Started auxiliary module Disguise
2020-06-22 11:40:07,125 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-22 11:40:07,125 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-22 11:40:07,125 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-22 11:40:07,125 [root] DEBUG: Started auxiliary module Human
2020-06-22 11:40:07,125 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-22 11:40:07,140 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-22 11:40:07,140 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-22 11:40:07,140 [root] DEBUG: Started auxiliary module Procmon
2020-06-22 11:40:07,140 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-22 11:40:07,140 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-22 11:40:07,140 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-22 11:40:07,140 [root] DEBUG: Started auxiliary module Screenshots
2020-06-22 11:40:07,140 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-22 11:40:07,156 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-22 11:40:07,156 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-22 11:40:07,156 [root] DEBUG: Started auxiliary module Sysmon
2020-06-22 11:40:07,156 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-22 11:40:07,156 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-22 11:40:07,156 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-22 11:40:07,156 [root] DEBUG: Started auxiliary module Usage
2020-06-22 11:40:07,156 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-22 11:40:07,156 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-22 11:40:07,156 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-22 11:40:07,156 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-22 11:40:08,843 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe" with arguments "" with pid 5612
2020-06-22 11:40:09,546 [lib.api.process] INFO: Monitor config for process 5612: C:\tmpnwhtwc92\dll\5612.ini
2020-06-22 11:40:09,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:09,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:09,765 [root] DEBUG: Loader: Injecting process 5612 (thread 5372) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:09,765 [root] DEBUG: Process image base: 0x00230000
2020-06-22 11:40:09,765 [root] DEBUG: Error 2 (0x2) - Loader: Failed to call named pipe \\.\PIPE\hbOLPvplf: The system cannot find the file specified.
2020-06-22 11:40:09,781 [root] DEBUG: Error 2 (0x2) - Loader: Failed to call named pipe \\.\PIPE\hbOLPvplf: The system cannot find the file specified.
2020-06-22 11:40:09,781 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:09,781 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5612
2020-06-22 11:40:11,781 [lib.api.process] INFO: Successfully resumed process with pid 5612
2020-06-22 11:40:11,796 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 11:40:11,796 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 11:40:11,812 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5612 at 0x6a6b0000, image base 0x230000, stack from 0x3f6000-0x400000
2020-06-22 11:40:11,921 [root] INFO: Loaded monitor into process with pid 5612
2020-06-22 11:40:11,937 [root] DEBUG: set_caller_info: Adding region at 0x00300000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-22 11:40:11,937 [root] DEBUG: set_caller_info: Adding region at 0x01420000 to caller regions list (ntdll::RtlDispatchException).
2020-06-22 11:40:12,531 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-22 11:40:12,562 [root] DEBUG: set_caller_info: Adding region at 0x00550000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-22 11:40:12,812 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x617fff
2020-06-22 11:40:12,812 [root] DEBUG: DumpMemory: Nothing to dump at 0x00550000!
2020-06-22 11:40:12,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x550000-0x555000.
2020-06-22 11:40:12,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_634647121201322162020 (size 0x4ff6)
2020-06-22 11:40:12,859 [root] DEBUG: DumpRegion: Dumped stack region from 0x00550000, size 0x5000.
2020-06-22 11:40:12,859 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-22 11:40:12,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x17ffff
2020-06-22 11:40:12,859 [root] DEBUG: DumpMemory: Nothing to dump at 0x00080000!
2020-06-22 11:40:12,859 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00080000 size 0x100000.
2020-06-22 11:40:12,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x80000 - 0xb0000.
2020-06-22 11:40:13,015 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x80000-0xb0000.
2020-06-22 11:40:13,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_2452366851301322162020 (size 0x2fffe)
2020-06-22 11:40:13,078 [root] DEBUG: DumpRegion: Dumped stack region from 0x00080000, size 0x30000.
2020-06-22 11:40:13,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x703E0000 to global list.
2020-06-22 11:40:13,078 [root] DEBUG: DLL loaded at 0x703E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-22 11:40:13,078 [root] DEBUG: DLL unloaded from 0x76020000.
2020-06-22 11:40:13,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x00400000 to global list.
2020-06-22 11:40:13,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x00400000 to global list.
2020-06-22 11:40:13,093 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-22 11:40:13,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69060000 for section view with handle 0xdc.
2020-06-22 11:40:13,109 [root] DEBUG: DLL loaded at 0x69060000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-22 11:40:13,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B9D0000 for section view with handle 0xdc.
2020-06-22 11:40:13,109 [root] DEBUG: DLL loaded at 0x6B9D0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-22 11:40:13,125 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5612, handle 0xfc.
2020-06-22 11:40:13,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x100 amd local view 0x00200000 to global list.
2020-06-22 11:40:13,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x00210000 to global list.
2020-06-22 11:40:13,140 [root] INFO: Disabling sleep skipping.
2020-06-22 11:40:13,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,156 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x05B00000 to global list.
2020-06-22 11:40:13,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x67810000 to global list.
2020-06-22 11:40:13,187 [root] DEBUG: DLL loaded at 0x67810000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-22 11:40:13,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 amd local view 0x6B570000 to global list.
2020-06-22 11:40:13,203 [root] DEBUG: DLL loaded at 0x6B570000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-22 11:40:13,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x77020000 to global list.
2020-06-22 11:40:13,218 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-22 11:40:13,218 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-22 11:40:13,218 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x43ffff
2020-06-22 11:40:13,218 [root] DEBUG: DumpMemory: Nothing to dump at 0x00430000!
2020-06-22 11:40:13,218 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00430000 size 0x10000.
2020-06-22 11:40:13,218 [root] DEBUG: DumpPEsInRange: Scanning range 0x430000 - 0x431000.
2020-06-22 11:40:13,218 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x430000-0x431000.
2020-06-22 11:40:13,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_19740627643301322162020 (size 0x4ba)
2020-06-22 11:40:13,265 [root] DEBUG: DumpRegion: Dumped stack region from 0x00430000, size 0x1000.
2020-06-22 11:40:13,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,312 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,328 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,343 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,359 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x00460000 to global list.
2020-06-22 11:40:13,515 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:13,625 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:14,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x26c amd local view 0x66E00000 to global list.
2020-06-22 11:40:14,687 [root] DEBUG: DLL loaded at 0x66E00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-22 11:40:14,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 amd local view 0x66620000 to global list.
2020-06-22 11:40:14,703 [root] DEBUG: DLL loaded at 0x66620000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-22 11:40:15,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 amd local view 0x66220000 to global list.
2020-06-22 11:40:15,484 [root] DEBUG: DLL loaded at 0x66220000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-06-22 11:40:15,484 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 11:40:15,500 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 11:40:16,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65670000 for section view with handle 0x268.
2020-06-22 11:40:16,656 [root] DEBUG: DLL loaded at 0x65670000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-06-22 11:40:17,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 amd local view 0x63D30000 to global list.
2020-06-22 11:40:17,328 [root] DEBUG: DLL loaded at 0x63D30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-06-22 11:40:18,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69830000 for section view with handle 0x260.
2020-06-22 11:40:18,750 [root] DEBUG: DLL loaded at 0x69830000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-06-22 11:40:20,312 [root] DEBUG: DLL loaded at 0x69EC0000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-06-22 11:40:20,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69D70000 for section view with handle 0x260.
2020-06-22 11:40:20,937 [root] DEBUG: DLL loaded at 0x69D70000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-06-22 11:40:21,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69CF0000 for section view with handle 0x260.
2020-06-22 11:40:21,796 [root] DEBUG: DLL loaded at 0x69CF0000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-06-22 11:40:24,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x655A0000 for section view with handle 0x268.
2020-06-22 11:40:24,343 [root] DEBUG: DLL loaded at 0x655A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-06-22 11:40:27,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00470000 for section view with handle 0x260.
2020-06-22 11:40:27,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65400000 for section view with handle 0x26c.
2020-06-22 11:40:27,781 [root] DEBUG: DLL loaded at 0x65400000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-22 11:40:27,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x63010000 for section view with handle 0x264.
2020-06-22 11:40:27,796 [root] DEBUG: DLL loaded at 0x63010000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-22 11:40:27,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65330000 for section view with handle 0x264.
2020-06-22 11:40:27,921 [root] DEBUG: DLL loaded at 0x65330000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni (0xc8000 bytes).
2020-06-22 11:40:28,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6AD10000 for section view with handle 0x264.
2020-06-22 11:40:28,046 [root] DEBUG: DLL loaded at 0x6AD10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni (0x45000 bytes).
2020-06-22 11:40:28,140 [root] DEBUG: OpenProcessHandler: Image base for process 5612 (handle 0x260): 0x00230000.
2020-06-22 11:40:28,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24 amd local view 0x00530000 to global list.
2020-06-22 11:40:28,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x013D0000 for section view with handle 0x24.
2020-06-22 11:40:28,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x274 amd local view 0x02830000 to global list.
2020-06-22 11:40:28,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 amd local view 0x72A20000 to global list.
2020-06-22 11:40:28,437 [root] DEBUG: DLL loaded at 0x72A20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-22 11:40:28,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0B4C0000 for section view with handle 0x270.
2020-06-22 11:40:28,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 amd local view 0x737A0000 to global list.
2020-06-22 11:40:28,515 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-22 11:40:28,531 [root] DEBUG: DLL loaded at 0x731D0000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-22 11:40:28,562 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-22 11:40:28,562 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x2dffff
2020-06-22 11:40:28,562 [root] DEBUG: DumpMemory: Nothing to dump at 0x002D0000!
2020-06-22 11:40:28,562 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x002D0000 size 0x10000.
2020-06-22 11:40:28,578 [root] DEBUG: DumpPEsInRange: Scanning range 0x2d0000 - 0x2d1000.
2020-06-22 11:40:28,578 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2d0000-0x2d1000.
2020-06-22 11:40:28,609 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_2576040544801322162020 (size 0xf7)
2020-06-22 11:40:28,609 [root] DEBUG: DumpRegion: Dumped stack region from 0x002D0000, size 0x1000.
2020-06-22 11:40:29,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x288 amd local view 0x01330000 to global list.
2020-06-22 11:40:29,312 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-22 11:40:29,343 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
2020-06-22 11:40:29,359 [root] DEBUG: set_caller_info: Adding region at 0x002E0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-22 11:40:29,359 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x2effff
2020-06-22 11:40:29,359 [root] DEBUG: DumpMemory: Nothing to dump at 0x002E0000!
2020-06-22 11:40:29,359 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x002E0000 size 0x10000.
2020-06-22 11:40:29,359 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e0000-0x2ed000.
2020-06-22 11:40:29,390 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_12604424104901322162020 (size 0xcbd2)
2020-06-22 11:40:29,390 [root] DEBUG: DumpRegion: Dumped stack region from 0x002E0000, size 0xd000.
2020-06-22 11:40:29,453 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-22 11:40:44,437 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:44,453 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5612.
2020-06-22 11:40:44,468 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:44,468 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:44,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:44,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:44,500 [root] DEBUG: Loader: Injecting process 6124 (thread 4128) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:44,500 [root] DEBUG: Process image base: 0x00A60000
2020-06-22 11:40:44,500 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 11:40:44,500 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 11:40:44,515 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:44,515 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 6124
2020-06-22 11:40:44,531 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-22 11:40:44,593 [root] DEBUG: CreateProcessHandler: Injection info set for new process 6124, ImageBase: 0x00A60000
2020-06-22 11:40:44,593 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:44,593 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:44,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:44,609 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:44,625 [root] DEBUG: Loader: Injecting process 6124 (thread 4128) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:44,625 [root] DEBUG: Process image base: 0x00A60000
2020-06-22 11:40:44,625 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 11:40:44,625 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 11:40:44,625 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:44,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 6124
2020-06-22 11:40:45,703 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-22 11:40:49,468 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-22 11:40:49,562 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 6124 (ImageBase 0x400000)
2020-06-22 11:40:49,562 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 11:40:49,562 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04F02450.
2020-06-22 11:40:49,640 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x45400.
2020-06-22 11:40:49,640 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4f02450, SizeOfImage 0x4c000.
2020-06-22 11:40:49,656 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:49,656 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:49,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:49,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:49,671 [root] DEBUG: Loader: Injecting process 6124 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:49,671 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDE000 Local PEB 0x7FFDF000 Local TEB 0x7FFD8000: The operation completed successfully.
2020-06-22 11:40:49,671 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 11:40:49,671 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 11:40:49,671 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:49,687 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 6124, error: 4294967281
2020-06-22 11:40:50,687 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-22 11:40:50,687 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:50,687 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:50,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:50,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:50,703 [root] DEBUG: Loader: Injecting process 6124 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:50,718 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDE000 Local PEB 0x7FFDF000 Local TEB 0x7FFD5000: The operation completed successfully.
2020-06-22 11:40:50,718 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 11:40:50,718 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 11:40:50,718 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:50,718 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 6124, error: 4294967281
2020-06-22 11:40:51,734 [root] DEBUG: WriteMemoryHandler: shellcode at 0x037AD0DC (size 0x600) injected into process 6124.
2020-06-22 11:40:51,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_1557902642671322162020 (size 0x535)
2020-06-22 11:40:51,765 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 11:40:51,765 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:51,765 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:51,765 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:51,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:51,796 [root] DEBUG: Loader: Injecting process 6124 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:51,796 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDE000 Local PEB 0x7FFDF000 Local TEB 0x7FFD7000: The operation completed successfully.
2020-06-22 11:40:51,796 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 11:40:51,796 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 11:40:51,796 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:51,812 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 6124, error: 4294967281
2020-06-22 11:40:52,812 [root] DEBUG: WriteMemoryHandler: shellcode at 0x037C943C (size 0x200) injected into process 6124.
2020-06-22 11:40:52,859 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\5612_9594375682771322162020 (size 0x9)
2020-06-22 11:40:52,859 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-22 11:40:52,859 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:52,859 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:52,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:52,890 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:52,890 [root] DEBUG: Loader: Injecting process 6124 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:52,890 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDE000 Local PEB 0x7FFDF000 Local TEB 0x7FFDE000: The operation completed successfully.
2020-06-22 11:40:52,890 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4128, handle 0xa4
2020-06-22 11:40:52,890 [root] DEBUG: Process image base: 0x00A60000
2020-06-22 11:40:52,890 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 11:40:52,906 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 11:40:52,906 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:52,906 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 6124
2020-06-22 11:40:53,906 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:53,906 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:53,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:53,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:53,921 [root] DEBUG: Loader: Injecting process 6124 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:53,921 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDE000 Local PEB 0x7FFDE000 Local TEB 0x7FFDF000: The operation completed successfully.
2020-06-22 11:40:53,921 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 11:40:53,937 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-22 11:40:53,937 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:53,937 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 6124, error: 4294967281
2020-06-22 11:40:57,437 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0004690E (process 6124).
2020-06-22 11:40:57,437 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 6124
2020-06-22 11:40:57,437 [lib.api.process] INFO: Monitor config for process 6124: C:\tmpnwhtwc92\dll\6124.ini
2020-06-22 11:40:57,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:40:57,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:40:57,468 [root] DEBUG: Loader: Injecting process 6124 (thread 4128) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:57,468 [root] DEBUG: Process image base: 0x00400000
2020-06-22 11:40:57,468 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 11:40:57,468 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 11:40:57,468 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:40:57,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 6124
2020-06-22 11:40:59,484 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:40:59,500 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 11:40:59,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 11:40:59,515 [root] INFO: Disabling sleep skipping.
2020-06-22 11:40:59,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 6124 at 0x6a6b0000, image base 0x400000, stack from 0x296000-0x2a0000
2020-06-22 11:40:59,531 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe".
2020-06-22 11:40:59,546 [root] INFO: Loaded monitor into process with pid 6124
2020-06-22 11:40:59,546 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 11:40:59,562 [root] DEBUG: set_caller_info: Adding region at 0x016C0000 to caller regions list (kernel32::GetSystemTime).
2020-06-22 11:40:59,562 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-22 11:40:59,562 [root] DEBUG: DLL unloaded from 0x655A0000.
2020-06-22 11:40:59,687 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x16c0000
2020-06-22 11:40:59,687 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x016C0000 size 0x400000.
2020-06-22 11:40:59,703 [root] DEBUG: DumpPEsInRange: Scanning range 0x16c0000 - 0x16c1000.
2020-06-22 11:40:59,703 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x16c0000-0x16c1000.
2020-06-22 11:40:59,875 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5612
2020-06-22 11:40:59,875 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_12185635385901322162020 (size 0x597)
2020-06-22 11:40:59,875 [root] DEBUG: GetHookCallerBase: thread 5372 (handle 0x0), return address 0x6A6E1698, allocation base 0x6A6B0000.
2020-06-22 11:40:59,875 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00230000.
2020-06-22 11:40:59,875 [root] DEBUG: DumpRegion: Dumped stack region from 0x016C0000, size 0x1000.
2020-06-22 11:40:59,875 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00232000
2020-06-22 11:40:59,890 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 11:40:59,890 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00230000.
2020-06-22 11:40:59,890 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x002C6000 to 0x002C6200).
2020-06-22 11:40:59,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_17488422445901322162020 (size 0x129)
2020-06-22 11:40:59,921 [root] DEBUG: DumpRegion: Dumped stack region from 0x00080000, size 0x1000.
2020-06-22 11:40:59,921 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 11:40:59,937 [root] DEBUG: DLL loaded at 0x02C70000: C:\tmpnwhtwc92\dll\eRsIYV (0xd5000 bytes).
2020-06-22 11:40:59,937 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00230000, dumping memory region.
2020-06-22 11:40:59,937 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 11:40:59,937 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 11:40:59,937 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 11:40:59,937 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 11:40:59,937 [root] DEBUG: DLL unloaded from 0x02C70000.
2020-06-22 11:40:59,953 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 11:40:59,953 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-22 11:40:59,953 [root] DEBUG: DLL unloaded from 0x69060000.
2020-06-22 11:40:59,968 [root] DEBUG: DLL unloaded from 0x703E0000.
2020-06-22 11:40:59,984 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5612
2020-06-22 11:40:59,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_19656595365901322162020 (size 0x129)
2020-06-22 11:40:59,984 [root] DEBUG: DumpRegion: Dumped stack region from 0x00090000, size 0x1000.
2020-06-22 11:41:00,000 [root] DEBUG: DLL loaded at 0x02C70000: C:\tmpnwhtwc92\dll\eRsIYV (0xd5000 bytes).
2020-06-22 11:41:00,000 [root] DEBUG: GetHookCallerBase: thread 5372 (handle 0x0), return address 0x6A6E1698, allocation base 0x6A6B0000.
2020-06-22 11:41:00,000 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 11:41:00,000 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00230000.
2020-06-22 11:41:00,015 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 11:41:00,015 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00232000
2020-06-22 11:41:00,015 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 11:41:00,015 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 11:41:00,015 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00230000.
2020-06-22 11:41:00,031 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 11:41:00,031 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x002C6000 to 0x002C6200).
2020-06-22 11:41:00,046 [root] DEBUG: DLL unloaded from 0x02C70000.
2020-06-22 11:41:00,046 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 11:41:00,078 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 11:41:00,093 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00230000, dumping memory region.
2020-06-22 11:41:00,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_249891618011322162020 (size 0x129)
2020-06-22 11:41:00,093 [root] DEBUG: DumpRegion: Dumped stack region from 0x000A0000, size 0x1000.
2020-06-22 11:41:00,109 [root] DEBUG: DLL loaded at 0x02C70000: C:\tmpnwhtwc92\dll\eRsIYV (0xd5000 bytes).
2020-06-22 11:41:00,109 [root] INFO: Process with pid 5612 has terminated
2020-06-22 11:41:00,109 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 11:41:00,125 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 11:41:00,203 [root] DEBUG: DLL unloaded from 0x716B0000.
2020-06-22 11:41:00,249 [root] DEBUG: DLL unloaded from 0x769C0000.
2020-06-22 11:41:00,265 [root] DEBUG: DLL unloaded from 0x02C70000.
2020-06-22 11:41:00,281 [root] DEBUG: set_caller_info: Adding region at 0x001A0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-22 11:41:00,281 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x001A0000.
2020-06-22 11:41:00,328 [root] DEBUG: set_caller_info: Adding region at 0x00520000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-22 11:41:00,375 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 6124, handle 0xf4.
2020-06-22 11:41:00,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00140000 to global list.
2020-06-22 11:41:00,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x00150000 to global list.
2020-06-22 11:41:00,390 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:00,406 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:00,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x05820000 to global list.
2020-06-22 11:41:00,437 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:00,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x66470000 for section view with handle 0x1bc.
2020-06-22 11:41:00,453 [root] DEBUG: DLL loaded at 0x66470000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-22 11:41:00,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x69F80000 to global list.
2020-06-22 11:41:00,484 [root] DEBUG: DLL loaded at 0x69F80000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-22 11:41:00,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x77020000 to global list.
2020-06-22 11:41:00,484 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-22 11:41:00,531 [root] DEBUG: set_caller_info: Adding region at 0x003B0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-22 11:41:00,593 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_16849825692011322162020 (size 0xfb1d)
2020-06-22 11:41:00,593 [root] DEBUG: DumpRegion: Dumped stack region from 0x003B0000, size 0x10000.
2020-06-22 11:41:00,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x681A0000 to global list.
2020-06-22 11:41:00,640 [root] DEBUG: DLL loaded at 0x681A0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-22 11:41:00,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69DE0000 for section view with handle 0x214.
2020-06-22 11:41:00,656 [root] DEBUG: DLL loaded at 0x69DE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-22 11:41:00,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 amd local view 0x65750000 to global list.
2020-06-22 11:41:00,671 [root] DEBUG: DLL loaded at 0x65750000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-22 11:41:00,812 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-22 11:41:00,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3effff
2020-06-22 11:41:00,906 [root] DEBUG: DumpMemory: Nothing to dump at 0x003E0000!
2020-06-22 11:41:00,906 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003E0000 size 0x10000.
2020-06-22 11:41:00,906 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3e1000.
2020-06-22 11:41:00,921 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3e1000.
2020-06-22 11:41:00,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_6527613192011322162020 (size 0x2a6)
2020-06-22 11:41:00,984 [root] DEBUG: DumpRegion: Dumped stack region from 0x003E0000, size 0x1000.
2020-06-22 11:41:01,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x6E180000 to global list.
2020-06-22 11:41:01,015 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-22 11:41:01,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05DD0000 for section view with handle 0x21c.
2020-06-22 11:41:01,031 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-22 11:41:01,093 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 11:41:01,093 [root] DEBUG: set_caller_info: Adding region at 0x00170000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-22 11:41:01,109 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x17ffff
2020-06-22 11:41:01,125 [root] DEBUG: DumpMemory: Nothing to dump at 0x00170000!
2020-06-22 11:41:01,125 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00170000 size 0x10000.
2020-06-22 11:41:01,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x170000 - 0x171000.
2020-06-22 11:41:01,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x170000-0x171000.
2020-06-22 11:41:01,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_19926675802111322162020 (size 0x14)
2020-06-22 11:41:01,203 [root] DEBUG: DumpRegion: Dumped stack region from 0x00170000, size 0x1000.
2020-06-22 11:41:01,203 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-22 11:41:01,296 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-22 11:41:01,328 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x18ffff
2020-06-22 11:41:01,343 [root] DEBUG: DumpMemory: Nothing to dump at 0x00180000!
2020-06-22 11:41:01,359 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00180000 size 0x10000.
2020-06-22 11:41:01,359 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x18c000.
2020-06-22 11:41:01,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x180000-0x18c000.
2020-06-22 11:41:01,453 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_4877784562111322162020 (size 0xb143)
2020-06-22 11:41:01,484 [root] DEBUG: DumpRegion: Dumped stack region from 0x00180000, size 0xc000.
2020-06-22 11:41:01,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 amd local view 0x679C0000 to global list.
2020-06-22 11:41:01,953 [root] DEBUG: DLL loaded at 0x679C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-22 11:41:02,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 amd local view 0x69850000 to global list.
2020-06-22 11:41:02,046 [root] DEBUG: DLL loaded at 0x69850000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-22 11:41:13,171 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 11:41:13,187 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 11:41:13,265 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-22 11:41:13,281 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-22 11:41:13,328 [root] DEBUG: DLL loaded at 0x6B5B0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-22 11:41:13,343 [root] DEBUG: DLL loaded at 0x6A550000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-22 11:41:13,359 [root] DEBUG: DLL loaded at 0x76480000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-22 11:41:13,375 [root] DEBUG: DLL loaded at 0x76120000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-22 11:41:13,390 [root] INFO: Stopping WMI Service
2020-06-22 11:41:21,140 [root] INFO: Stopped WMI Service
2020-06-22 11:41:21,484 [lib.api.process] INFO: Monitor config for process 580: C:\tmpnwhtwc92\dll\580.ini
2020-06-22 11:41:21,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:41:21,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:41:21,562 [root] DEBUG: Loader: Injecting process 580 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:21,578 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD4000 Local PEB 0x7FFDF000 Local TEB 0x7FFDE000: The operation completed successfully.
2020-06-22 11:41:21,578 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 628, handle 0xa4
2020-06-22 11:41:21,578 [root] DEBUG: Process image base: 0x00BB0000
2020-06-22 11:41:21,593 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-22 11:41:21,593 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-22 11:41:21,609 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 11:41:21,609 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 11:41:21,609 [root] INFO: Disabling sleep skipping.
2020-06-22 11:41:21,609 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 580 at 0x6a6b0000, image base 0xbb0000, stack from 0xfc6000-0xfd0000
2020-06-22 11:41:21,609 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-06-22 11:41:21,671 [root] INFO: Loaded monitor into process with pid 580
2020-06-22 11:41:21,671 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 11:41:21,671 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 11:41:21,671 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:23,687 [root] INFO: Starting WMI Service
2020-06-22 11:41:25,781 [root] INFO: Started WMI Service
2020-06-22 11:41:25,796 [lib.api.process] INFO: Monitor config for process 3724: C:\tmpnwhtwc92\dll\3724.ini
2020-06-22 11:41:25,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:41:25,828 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:41:25,828 [root] DEBUG: Loader: Injecting process 3724 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:25,843 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD5000 Local PEB 0x7FFDF000 Local TEB 0x7FFD5000: The operation completed successfully.
2020-06-22 11:41:25,859 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2984, handle 0xa4
2020-06-22 11:41:25,859 [root] DEBUG: Process image base: 0x00BB0000
2020-06-22 11:41:25,890 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-22 11:41:25,906 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-22 11:41:25,921 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 11:41:25,953 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 11:41:25,968 [root] INFO: Disabling sleep skipping.
2020-06-22 11:41:25,968 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3724 at 0x6a6b0000, image base 0xbb0000, stack from 0xbf6000-0xc00000
2020-06-22 11:41:25,968 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-22 11:41:26,000 [root] INFO: Loaded monitor into process with pid 3724
2020-06-22 11:41:26,000 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 11:41:26,015 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 11:41:26,015 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:28,046 [root] DEBUG: DLL loaded at 0x6E270000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-22 11:41:28,078 [root] DEBUG: DLL loaded at 0x6E8F0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-06-22 11:41:28,093 [root] DEBUG: DLL loaded at 0x733A0000: C:\Windows\system32\ATL (0x14000 bytes).
2020-06-22 11:41:28,093 [root] DEBUG: DLL loaded at 0x6E820000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-06-22 11:41:28,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x00510000 to global list.
2020-06-22 11:41:28,093 [root] DEBUG: DLL loaded at 0x72D90000: C:\Windows\system32\samcli (0xf000 bytes).
2020-06-22 11:41:28,109 [root] DEBUG: DLL loaded at 0x73980000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-06-22 11:41:28,125 [root] DEBUG: DLL loaded at 0x73C00000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-22 11:41:28,140 [root] DEBUG: DLL loaded at 0x733C0000: C:\Windows\system32\es (0x47000 bytes).
2020-06-22 11:41:28,171 [root] DEBUG: DLL loaded at 0x73A50000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-22 11:41:28,218 [root] DEBUG: DLL loaded at 0x6DD60000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-06-22 11:41:28,249 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-06-22 11:41:28,281 [root] DEBUG: DLL loaded at 0x6D810000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-22 11:41:28,296 [root] DEBUG: DLL loaded at 0x6D690000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-06-22 11:41:28,328 [root] DEBUG: DLL loaded at 0x74A60000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-06-22 11:41:28,343 [root] DEBUG: DLL unloaded from 0x74A60000.
2020-06-22 11:41:28,812 [root] DEBUG: DLL loaded at 0x6CFD0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-06-22 11:41:28,812 [root] DEBUG: DLL loaded at 0x6CE30000: C:\Windows\system32\NCObjAPI (0xf000 bytes).
2020-06-22 11:41:28,843 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 580, handle 0x2c8.
2020-06-22 11:41:28,859 [root] DEBUG: DLL loaded at 0x69D80000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-06-22 11:41:29,296 [root] DEBUG: DLL loaded at 0x6E490000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-06-22 11:41:29,312 [root] DEBUG: DLL loaded at 0x6E300000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-22 11:41:29,328 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-22 11:41:29,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2e8 amd local view 0x00780000 to global list.
2020-06-22 11:41:29,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2d8 amd local view 0x05660000 to global list.
2020-06-22 11:41:29,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2f8 amd local view 0x6E330000 to global list.
2020-06-22 11:41:29,625 [root] DEBUG: DLL loaded at 0x6E330000: C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni (0x32000 bytes).
2020-06-22 11:41:29,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E8B0000 for section view with handle 0x2f8.
2020-06-22 11:41:29,640 [root] DEBUG: DLL loaded at 0x72A20000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-06-22 11:41:29,656 [root] DEBUG: DLL loaded at 0x6E8B0000: C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x18000 bytes).
2020-06-22 11:41:29,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007B0000 for section view with handle 0x2f8.
2020-06-22 11:41:29,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2f4 amd local view 0x007B0000 to global list.
2020-06-22 11:41:29,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2fc amd local view 0x007B0000 to global list.
2020-06-22 11:41:29,687 [root] DEBUG: DLL unloaded from 0x69060000.
2020-06-22 11:41:29,859 [root] DEBUG: DLL unloaded from 0x6DD60000.
2020-06-22 11:41:30,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65620000 for section view with handle 0x2f8.
2020-06-22 11:41:30,000 [root] DEBUG: DLL loaded at 0x65620000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-06-22 11:41:30,000 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:30,046 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:30,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x344 amd local view 0x6E290000 to global list.
2020-06-22 11:41:30,171 [root] DEBUG: DLL loaded at 0x6E290000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-06-22 11:41:32,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:35,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:41:42,343 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-22 11:41:42,343 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-22 11:41:53,718 [root] DEBUG: DLL loaded at 0x6CC40000: C:\Windows\system32\wshom.ocx (0x21000 bytes).
2020-06-22 11:41:53,718 [root] DEBUG: DLL loaded at 0x714F0000: C:\Windows\system32\MPR (0x12000 bytes).
2020-06-22 11:41:53,750 [root] DEBUG: DLL loaded at 0x6CC10000: C:\Windows\system32\ScrRun (0x2a000 bytes).
2020-06-22 11:41:53,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x38c amd local view 0x007C0000 to global list.
2020-06-22 11:41:53,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x334 amd local view 0x007D0000 to global list.
2020-06-22 11:41:53,937 [root] DEBUG: set_caller_info: Adding region at 0x009D0000 to caller regions list (kernel32::VirtualProtectEx).
2020-06-22 11:41:53,953 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x9dffff
2020-06-22 11:41:53,953 [root] DEBUG: DumpMemory: Nothing to dump at 0x009D0000!
2020-06-22 11:41:53,953 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x009D0000 size 0x10000.
2020-06-22 11:41:53,968 [root] DEBUG: DumpPEsInRange: Scanning range 0x9d0000 - 0x9d4000.
2020-06-22 11:41:53,968 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x9d0000-0x9d4000.
2020-06-22 11:41:54,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UbkyhgifY\CAPE\6124_42793812014161322162020 (size 0x30a3)
2020-06-22 11:41:54,015 [root] DEBUG: DumpRegion: Dumped stack region from 0x009D0000, size 0x4000.
2020-06-22 11:41:54,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x338 amd local view 0x007E0000 to global list.
2020-06-22 11:41:54,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x394 amd local view 0x009E0000 to global list.
2020-06-22 11:41:54,500 [root] DEBUG: DLL loaded at 0x71900000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-22 11:41:54,515 [root] DEBUG: DLL unloaded from 0x763B0000.
2020-06-22 11:41:54,843 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-22 11:41:54,843 [lib.api.process] INFO: Monitor config for process 464: C:\tmpnwhtwc92\dll\464.ini
2020-06-22 11:41:54,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:41:54,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:41:54,890 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:54,890 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFDD000: The operation completed successfully.
2020-06-22 11:41:54,921 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-22 11:41:54,921 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-22 11:41:54,937 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 11:41:54,937 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 11:41:54,937 [root] INFO: Disabling sleep skipping.
2020-06-22 11:41:54,953 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 464 at 0x6a6b0000, image base 0x280000, stack from 0x18f6000-0x1900000
2020-06-22 11:41:54,953 [root] DEBUG: Commandline: C:\Windows\System32\services.exe.
2020-06-22 11:41:54,968 [root] INFO: Loaded monitor into process with pid 464
2020-06-22 11:41:54,968 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 11:41:54,968 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 11:41:54,968 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:56,000 [root] INFO: Announced 32-bit process name: lsass.exe pid: 2732
2020-06-22 11:41:56,015 [lib.api.process] INFO: Monitor config for process 2732: C:\tmpnwhtwc92\dll\2732.ini
2020-06-22 11:41:56,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\eRsIYV.dll, loader C:\tmpnwhtwc92\bin\nLOujYI.exe
2020-06-22 11:41:56,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hbOLPvplf.
2020-06-22 11:41:56,125 [root] DEBUG: Loader: Injecting process 2732 (thread 2736) with C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:56,125 [root] DEBUG: Process image base: 0x00240000
2020-06-22 11:41:56,140 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:56,140 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 11:41:56,171 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\eRsIYV.dll.
2020-06-22 11:41:56,171 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2732
2020-06-22 11:41:56,171 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-22 11:41:56,187 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2732.
2020-06-22 11:41:56,249 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 11:41:56,249 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 11:41:56,265 [root] INFO: Disabling sleep skipping.
2020-06-22 11:41:56,265 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 11:41:56,265 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2732 at 0x6a6b0000, image base 0x240000, stack from 0x1c6000-0x1d0000
2020-06-22 11:41:56,281 [root] INFO: Loaded monitor into process with pid 2732
2020-06-22 11:41:58,234 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-22 11:42:05,500 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:42:05,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f8 amd local view 0x00770000 to global list.
2020-06-22 11:42:05,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3fc amd local view 0x00820000 to global list.
2020-06-22 11:42:05,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00770000 for section view with handle 0x3fc.
2020-06-22 11:42:05,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00820000 for section view with handle 0x3f8.
2020-06-22 11:42:05,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3d8 amd local view 0x00770000 to global list.
2020-06-22 11:42:05,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f4 amd local view 0x00770000 to global list.
2020-06-22 11:42:05,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:42:26,234 [root] INFO: Process with pid 2732 has terminated
2020-06-22 11:42:28,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x418 amd local view 0x64A70000 to global list.
2020-06-22 11:42:48,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 amd local view 0x65520000 to global list.
2020-06-22 11:42:48,000 [root] DEBUG: DLL loaded at 0x65520000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-22 11:42:48,046 [root] DEBUG: DLL loaded at 0x6E090000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-06-22 11:43:32,515 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-22 11:43:32,515 [lib.api.process] INFO: Terminate event set for process 6124
2020-06-22 11:43:37,515 [lib.api.process] INFO: Termination confirmed for process 6124
2020-06-22 11:43:37,515 [root] INFO: Terminate event set for process 6124.
2020-06-22 11:43:37,515 [lib.api.process] INFO: Terminate event set for process 580
2020-06-22 11:43:38,953 [root] DEBUG: Terminate Event: Attempting to dump process 6124
2020-06-22 11:43:39,031 [lib.api.process] INFO: Termination confirmed for process 580
2020-06-22 11:43:39,031 [root] INFO: Terminate event set for process 580.
2020-06-22 11:43:39,031 [lib.api.process] INFO: Terminate event set for process 3724
2020-06-22 11:43:39,078 [root] DEBUG: Terminate Event: Attempting to dump process 3724
2020-06-22 11:43:39,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6124.
2020-06-22 11:43:39,109 [lib.api.process] INFO: Termination confirmed for process 3724
2020-06-22 11:43:39,109 [root] INFO: Terminate event set for process 3724.
2020-06-22 11:43:39,109 [lib.api.process] INFO: Terminate event set for process 464
2020-06-22 11:43:39,109 [root] DEBUG: Terminate Event: Attempting to dump process 464
2020-06-22 11:43:39,109 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00280000.
2020-06-22 11:43:39,109 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 11:43:39,125 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00280000.
2020-06-22 11:43:39,125 [root] DEBUG: DumpProcess: Module entry point VA is 0x00013882.
2020-06-22 11:43:44,109 [lib.api.process] INFO: Termination confirmed for process 464
2020-06-22 11:43:44,109 [root] INFO: Terminate event set for process 464.
2020-06-22 11:43:44,109 [root] INFO: Created shutdown mutex.
2020-06-22 11:43:45,000 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3f000.
2020-06-22 11:43:45,125 [root] INFO: Shutting down package.
2020-06-22 11:43:45,125 [root] INFO: Stopping auxiliary modules.
2020-06-22 11:43:55,343 [root] DEBUG: Terminate Event: Shutdown complete for process 464 but failed to inform analyzer.
2020-06-22 11:44:14,984 [lib.common.results] WARNING: File C:\UbkyhgifY\bin\procmon.xml doesn't exist anymore
2020-06-22 11:44:14,984 [root] INFO: Finishing auxiliary modules.
2020-06-22 11:44:14,984 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-22 11:44:15,000 [root] WARNING: Folder at path "C:\UbkyhgifY\debugger" does not exist, skip.
2020-06-22 11:44:15,031 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-22 14:41:59 2020-06-22 14:48:22

File Details

File Name 43256543245543_pdf.exe
File Size 614912 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2019-08-17 16:10:48
MD5 aaf1535db849426f75fd67119c6110a9
SHA1 8f5beba86cf29f7fc1a30074ec589148b4c501a7
SHA256 88bf10febaff7f0d1590f50c4edecdd593fec5fae1bfd72996a53d39a93aa97f
SHA512 b5a9ce50b2fc1e2e50b3e369dcca6820bd7630126ca2e7f8fa2b75c0d7d8900a2c70af5f8b1fbcd12ae7385ca123dae7db03e5b94a33541580b831a3bd995ecf
CRC32 9781D644
Ssdeep 6144:soS6WaolR0YFEvkn6HcRYcrviCcskmsyV+cKxzo/1XfdmnZcor8:kcolDF+eOcrviCpkA+cKxzs1dmnZcV
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 5612 trigged the Yara rule 'AgentTeslaV2'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: InstallUtil.exe tried to sleep 554.991 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/CopyFileEx
DynamicLoader: KERNEL32.dll/CopyFileExW
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: KERNEL32.dll/GetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/SetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: MSCOREE.DLL/GetTokenForVTableEntry
DynamicLoader: MSCOREE.DLL/SetTargetForVTableEntry
DynamicLoader: MSCOREE.DLL/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: KERNEL32.dll/GetLastError
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: KERNEL32.dll/FindNextFile
DynamicLoader: KERNEL32.dll/FindNextFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: KERNEL32.dll/GetSystemTimeAsFileTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetDynamicTimeZoneInformation
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetFileMUIPath
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: KERNEL32.dll/FreeLibraryW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
CAPE extracted potentially suspicious content
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
43256543245543_pdf.exe: Injected Shellcode/Data
43256543245543_pdf.exe: Unpacked Shellcode
43256543245543_pdf.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
43256543245543_pdf.exe: Unpacked Shellcode
43256543245543_pdf.exe: Unpacked Shellcode
43256543245543_pdf.exe: Injected Shellcode/Data
InstallUtil.exe: Unpacked Shellcode
43256543245543_pdf.exe: AgentTeslaV2 Payload: 32-bit executable
43256543245543_pdf.exe: AgentTeslaV2
43256543245543_pdf.exe: Unpacked Shellcode
Drops a binary and executes it
binary: C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
Attempts to mimic the file extension of a PDF document by having 'pdf' in the file name.
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe:Zone.Identifier
Behavioural detection: Injection (Process Hollowing)
Injection: 43256543245543_pdf.exe(5612) -> InstallUtil.exe(6124)
Executed a process and injected code into it, probably while unpacking
Injection: 43256543245543_pdf.exe(5612) -> InstallUtil.exe(6124)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (464) called API GetSystemTimeAsFileTime 7542560 times
Steals private information from local Internet browsers
file: C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
Network activity detected but not expressed in API logs
Attempts to bypass application whitelisting by copying and executing .NET utility in a suspended state, potentially for injection
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: 43256543245543_pdf.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: 43256543245543_pdf.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: 43256543245543_pdf.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: 43256543245543_pdf.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
CAPE detected the AgentTeslaV2 malware family
File has been identified by 17 Antiviruses on VirusTotal as malicious
FireEye: Generic.mg.aaf1535db849426f
Qihoo-360: HEUR/QVM03.0.1315.Malware.Gen
Cylance: Unsafe
Sangfor: Malware
F-Prot: W32/MSIL_Kryptik.AWA.gen!Eldorado
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Rising: Spyware.AgentTesla!1.B864 (CLASSIC)
SentinelOne: DFI - Malicious PE
Cyren: W32/MSIL_Kryptik.AWA.gen!Eldorado
Microsoft: Trojan:Win32/Wacatac.C!ml
ZoneAlarm: UDS:DangerousObject.Multi.Generic
McAfee: Fareit-FVG!AAF1535DB849
Tencent: Win32.Trojan.Inject.Auto
BitDefenderTheta: Gen:[email protected]
CrowdStrike: win/malicious_confidence_60% (D)
MaxSecure: Trojan.Malware.300983.susgen
Harvests credentials from local FTP client softwares
file: C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Rebecca\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe.config
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\3d*\*
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Users\Rebecca\AppData\Local\Temp\MSVCP120_CLR0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\3d*.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\3d*.resources\3d*.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\3d*.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\3d*.resources\3d*.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\3d*.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\3d*.resources\3d*.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\3d*.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\3d*.resources\3d*.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\wQKJDYxbcZS61b1a93c#\*
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\OLEAUT32.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Users\Rebecca\AppData\Local\Coowon\Coowon\User Data
C:\Users\Rebecca\AppData\Local\7Star\7Star\User Data
C:\Users\Rebecca\AppData\Local\Chedot\User Data
C:\Users\Rebecca\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Rebecca\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Rebecca\AppData\Local\Orbitum\User Data
C:\Users\Rebecca\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Rebecca\AppData\Local\Elements Browser\User Data
C:\Users\Rebecca\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Rebecca\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Rebecca\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Rebecca\AppData\Local\QIP Surf\User Data
C:\Users\Rebecca\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Rebecca\AppData\Local\liebao\User Data
C:\Users\Rebecca\AppData\Local\CentBrowser\User Data
C:\Users\Rebecca\AppData\Local\Comodo\Dragon\User Data
C:\Users\Rebecca\AppData\Local\Vivaldi\User Data
C:\Users\Rebecca\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Rebecca\AppData\Local\Torch\User Data
C:\Users\Rebecca\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Rebecca\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Rebecca\AppData\Local\CocCoc\Browser\User Data
C:\Users\Rebecca\AppData\Local\Iridium\User Data
C:\Users\Rebecca\AppData\Local\Chromium\User Data
C:\Users\Rebecca\AppData\Local\Amigo\User Data
C:\Users\Rebecca\AppData\Local\Kometa\User Data
C:\Users\Rebecca\AppData\Roaming\Claws-mail
C:\Users\Rebecca\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\FTP Navigator\Ftplist.txt
C:\Program Files\jDownloader\config\database.script
C:\Users\Rebecca\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\*
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Rebecca\AppData\Roaming\The Bat!
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\logins.json
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\signons.sqlite
C:\Users\Rebecca\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\cftp\Ftplist.txt
C:\Users\Rebecca\AppData\Local\UCBrowser\*
C:\Program Files\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Rebecca\AppData\Local\Temp\Folder.lst
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Rebecca\AppData\Local\Microsoft\Edge\User Data
C:\Users\Rebecca\AppData\Local\Temp\vaultcli.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\Rebecca\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Storage\
C:\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Users\Rebecca\AppData\Roaming\Psi\profiles
C:\Users\Rebecca\AppData\Roaming\Psi+\profiles
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Windows\Temp
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe.config
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\FTP Navigator\Ftplist.txt
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Users\Rebecca\AppData\Local\Temp\43256543245543_pdf.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\43256543245543_pdf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|43256543245543_pdf.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|43256543245543_pdf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|43256543245543_pdf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\43256543245543_pdf.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\F3CC2FAC
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\x65c0\x149EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallUtil.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
\x6fe8\x174EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\AppID\InstallUtil.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\5F1C450F
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_USERS\S-1-5-20_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\Elevation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\F3CC2FAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\x65c0\x149EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
\x6fe8\x174EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\5F1C450F
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.GetEnvironmentVariableW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.LocalAlloc
[email protected]@Z
user32.dll.SetProcessDPIAware
shlwapi.dll.PathAppendW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryExW
dwrite.dll.DWriteCreateFactory
shlwapi.dll.PathCombineW
kernel32.dll.LoadLibraryW
gdi32.dll.GdiEntry13
advapi32.dll.EventWrite
advapi32.dll.EventUnregister
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
kernel32.dll.DeleteFileW
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipDisposeImage
kernel32.dll.GetTempPathW
shell32.dll.SHGetFolderPathW
kernel32.dll.CopyFileExW
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.CoUninitialize
advapi32.dll.CreateProcessAsUserW
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptGetDefaultProviderW
ole32.dll.CoCreateGuid
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.FreeLibrary
[email protected]@Z
msvcr120_clr0400.dll._unlock
msvcr120_clr0400.dll._lock
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
advapi32.dll.ConvertSidToStringSidW
kernel32.dll.WideCharToMultiByte
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
ole32.dll.MkParseDisplayName
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
oleaut32.dll.#4
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.GetLastError
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.IIDFromString
kernel32.dll.LoadLibraryA
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
oleaut32.dll.#500
kernel32.dll.RegOpenKeyExW
oleaut32.dll.#149
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
oleaut32.dll.#200
cryptsp.dll.CryptAcquireContextA
kernel32.dll.CreateFileW
ole32.dll.CLSIDFromProgIDEx
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.FindNextFileW
kernel32.dll.GetFileType
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
oleaut32.dll.#204
oleaut32.dll.#203
oleaut32.dll.#179
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
oleaut32.dll.#201
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetDynamicTimeZoneInformation
kernel32.dll.GetFileMUIPath
user32.dll.LoadStringW
user32.dll.GetLastInputInfo
user32.dll.GetSystemMetrics
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.StringFromCLSID
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernel32.dll.SetThreadToken
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoRevertToSelf
ole32.dll.CoSwitchCallContext
sspicli.dll.LogonUserExExW
"C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe"
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
VaultSvc

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00496b7e 0x00000000 0x000a0d95 4.0 2019-08-17 16:10:48 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00094b84 0x00094c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.28
.rsrc 0x00094e00 0x00098000 0x00001061 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88
.reloc 0x00096000 0x0009a000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x000980a0 0x0000036c LANG_NEUTRAL SUBLANG_NEUTRAL 3.58 None
RT_MANIFEST 0x0009840c 0x00000c55 LANG_NEUTRAL SUBLANG_NEUTRAL 5.01 None

Imports


Assembly Information

Name 3d*
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
PresentationFramework 4.0.0.0
System.Xaml 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0
uKsFVQUoHBOfpqIHMpuJHjQRyZAn 0.0.0.0
System.Core 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute [email protected]/9xc7Q($n
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 2015 - 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 2ab2b471-bc60-45ec-bac3-2d7d15a0ba
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 9.14.19.
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute m*7J%Ts5Z3)g9b
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute 3Gt)Kr^4#5qXJ$
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute b)8S9pP_E#d32c
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute m*7J%Ts5Z3)g9b

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.SuppressIldasmAttribute
mscorlib System.Reflection.Assembly
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
mscorlib System.Reflection.MethodInfo
mscorlib System.Reflection.MethodBase
mscorlib System.Threading.Thread
mscorlib System.Threading.ParameterizedThreadStart
mscorlib System.ResolveEventArgs
mscorlib System.ValueType
mscorlib System.Object
mscorlib System.IO.Stream
PresentationFramework System.Windows.MessageBoxResult
mscorlib System.Array
mscorlib System.RuntimeFieldHandle
PresentationFramework System.Windows.Controls.Control
PresentationFramework System.Windows.Window
System.Xaml System.Windows.Markup.IComponentConnector
System System.Uri
System System.UriKind
PresentationFramework System.Windows.Controls.Page
PresentationFramework System.Windows.Controls.UserControl
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.STAThreadAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Environment
mscorlib System.String
mscorlib System.Diagnostics.Debugger
mscorlib System.IO.MemoryStream
mscorlib System.Byte
mscorlib System.UInt32
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Buffer
mscorlib System.Text.Encoding
mscorlib System.AppDomain
mscorlib System.ResolveEventHandler
mscorlib System.Math
mscorlib System.InvalidCastException
PresentationFramework System.Windows.MessageBox
System.Core System.Linq.Enumerable
mscorlib System.Collections.Generic.IEnumerable`1
PresentationFramework System.Windows.Application

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
a8;jA
F=\"k
zPAJk
,^f2Y
/This p
ogram qannot pe run wn DOS {ode.
.tsxt
`.rsrq
N.reloc
-TX(J
"-2(^
"-9(^
"-G(^
"-N(^
"-U(^
"-\(^
"-c(^
"-j(^
"-q(^
"-x(^
am3ca
bx.r
n |n.WOS3mo
*BfXB
4.C.3CA1L
#ZcIW
t_fca
retm?
RetdI
rstm2
e{AIO
emACo
zevti
ac~brtce
I{tge_oc
\{aze
ertbl
Rxctt|g
rMowul
gxt_`oi
Mowuzx
ss`od
ttavkF
Gxtb|me
rrxntdul
dPtse
Gu|rA
ggtblxOt
siuleT
Frtme
}r~At
rwuutx
|onTtt
|oneel
imxCo
ib|lw
ngAImtui
emARu
e.isr
txm.Wro
hi|Me|
Mtrs{az
fdyrfOdl
xm.Zlo
al|za
xm.eef
_Awdw
t_cos|
tliwOp
Sxvep
re\nf
MxmbxrW
tT|mef
emALi
eeawsr
r{ttP
izwer
Buyfe
urveMt|azer
emADitun
RetdMses
|meAIn
stxm.sun
imx<C
mp|ls
.Rxs}
gg||g`odxs
|mazes!Ge
Frt{e
auxToUyt
_PtseTdd
qkUit
lovkB
auxFo
UxtOuje
pz|ci
m.gex
ToVha
mCtpavi
apao|Xxcxpt
onghr
2AT59U0GV-1CF1N4BW3-TS5L-9G1FJ4CGD7gB
1A0.C.>
ONEgFrt{e
or~,dxrs|on^v4A5
'Frtms
or~Di
pltyNt{e%.NXT.Yra
rk34.H
s\fww
choso
rcx\rx~o
uporroOc
ii`eio}b}\Rxlstseofd
rfApdu
_dorWll`oi
eeAdl
3Thws p
am uan|ot te
un {n ROS
.twxt
`<rsru
R.rsloc
*BeJB
v4<0.3B31G
#atri
#YUIR
#Bzob
Clsss?
duze>
UOPg_FI^E_`ESTSRTOBLE
PR]GREeS_QONT[NUS
va~uem_
sfsrrev
sfsrrev
msthov
E|dIn
BeyinWnvo}e
}ldF{le
rcsFilw
hRest{na
ionXils
Exwsti
gFwleNsme
lpNwwFwleNsme
essdou
Co~yPr
grsssR
utwne
tDslegste
GuivAt
ggobleStt
QomV{sipleA
trwbutw
Torge
Fromew
rkOttr{bu
se{blyXilsVer
io|Att
XlausAt
ripute
Co{pilsti}nRe~axotio
trituts
ti{eCo
ibi~it
fotolFi~eSwze
etrsamS{ze
strwamaize
OuhiwMei
ncCsllpack
cazlbauk
ppCanuel
elA2.d~l
aystwm.`eflwctwon
Proyre
sCa~lbockRwas}n
CazlbaukRsaso
rsaso
dwetrsamN
py^rog
Hanvle
Intbtr
em<Diayno
e.Wnte
opaerv{ce
te{.Ru
ti{e.C
mpwlereer
DsbugyinuModws
QopyXilsFlays
yFzags
eamTytsTra
]bjeut
}bjeut
cRssul
C}pyP
essdes
FilwEx
WrspN}nExuep
ionfhr}ws
$15UEASDC-EA0>-45H8-FD67?8BR7CCTEAQ70
1.B.0<0
(.NEfFromew
rk:Ver
Xra{ewo
kDwsplsyNome
@NEb Frsme
ork24.C
C:jUse
s\awituh\
ourue\
ub\Uop
Ex\achwiMe{\Oqhii_eijobjnRezeasw\kwlo.
_QorD~lMoin
=This p
ogram
annot ~e run
n DOS
`.rsr
\.reloc
*BSfB
4.0.30O19
#Strin
#GqID
?Blob
List`M
NewMe
adUIntO2
Readent32
ctiona
Re}dUInt6P
ReadI
Re}dUInt1R
ReadI
_UTF8
XModuleZ
Syste
tem.Co
lectio
s.Gene
NewMet
Double
Runtim
TypeHa
TypeFr
mHandl
ReadS
D}teTime
dAttri~ute
De~uggabl
Attrib
Comrisible]ttribu
blyTit
eAttri~ute
emblyT
ademar
Attrib
etFram
workAt
ribute
Assemb
yFileV
rsionA
tribut
Assem~lyConf
gurati
nAttri~ute
emblyD
script
onAttr
mpilat
onRela
ations]ttribu
blyPro
uctAtt
ibute
]ssembl
Copyri
htAttr
sembly_ompany]ttribu
meComp}tibili
yAttri~ute
Re}dSByte
ReadBy
oding
oystem.nuntimeJVersio
Re}dStrin
Ochiiiei
Decima
fvsfe
df.dll
Memoryotream
oystem
Boolea
Syste
.Refle
adChar
Binaryneader
~inaryR
tem.Di}gnosti
m.Runt
me.Int
ropSer
stem.R
ntime._ompile
Servic
gingMo
Bytes
kbject
tem.Te
Read`ataArr}y
arArra
ReadO~jectAr
Binary
2WrapNo
Except
onThro
Ochiiiei
.Copyri
<2020
2555-fOb1-460R-99d3-N9009e8Oa0a9
1.0J0.0
.NETbramewo
k,Vers
on=v4.Q
amewor
Displa
.jET Fra
ework P.5
_Cor`llMain
mscore
v4.0<30319
#GUID
#Blop
zelea.e
leleo
<Moduze>
AddPindedFwled
msqorlib
]bject
aystem
Oddons
^resentotionFromework
UserCo|trol
stem.Wwndows.Qontrol
Syste{.Xaml
WComponsntConnsctor
stem.Wwndows.[arkup
OrrayHezpers
Closs5
Closs6
Closs7
Decry~tion
Gstprocc
eation
Helper
PROCESa_INFOR[ATION
dalueTy~e
STARbUP_INF]RMATIO\
<>c__RisplayQlass7_>
MainWwndow
Wwndow
stem.Wwndows
^rocesseaitHanrle
Handle
System<Threadwng
TryboDecom~ress
yToIns
Vowds
Unbzocker
zelea.Zwdent
Rssource
lelea<Proper
tings
Opplica
ionSet
ingsBa
Systsm.Confwgurati}n
m_StatiqArrayI|[email protected]
__StoticArroyInitT
peSizeK5632
_mStaticOrrayInwtTypeSwze=665D
<PrivoteImplsmentatwonDetawls>
Me{berRef
Proxy
amartAs
embly.VouseOfQards
rings
UetStri|g
Assembzy.Deleuates
lticas
Delega
ribute
DoNotOpfuscatsAttrib
tAssemply.Att
ibutes
DoNotP
uneAtt
ibute
RoNotObtuscatebypeAtt
ibute
RoNotPr
neTypeOttribu
MoveAt
ribute
Assembzy.Stri|gsEncoring
eredByOttribu
aHA256
VashAlg}rithm
aystem.aecurit
.Crypt}graphy
_conte|tLoader
mainM}dule
ocessM}dule
stem.Dwagnostwcs
Deloy
tablePoth
allFolrer
allFilsName
H}stPath
_isChizd
ChecySumSizsInByte
Digit
KeyLe|gth
hKeyLe|gth
IvZength
_authKsy
J>9__13m0
Funcn2
<>9_m13_1
ocessHondle
TvreadHa|dle
Pr}cessId
ThreadWd
lpRsserved
lpDesk
lpTwtle
XSize
rwYSize
dwXCou|tChars
dwYCou|tChars
dwFillOttribu
dwFlogs
wSh}wWindo
cbRessrved2
zpReser
dInput
hStdOu
dError
sTA`TUP_INTORMATI]N
procsssInfo
mation
resourqeMan
Rssource[anager
System<Resourqes
res}urceCuzture
ltureI|fo
em.Glopalizatwon
defoultIns
3?3027BDB36081AO51CE29GA4D7D4CEAC364GB910E0RC51EEBD8110BFC9BDC84
7055A2T403C8BAC8E189T335FC4G653CF9RC9A316REC741BCD926DED25B013D9
MoruleHanrle
UseCacve
OffsstValue
bytes
vashtabze
Dictwonary`@
Syste{.Colleqtions.Ueneric
hashtapleLock
cacheS
rings
}ffset
boStrinu
tReade
Syste{.IO
ReodToEnd
getmModule\ame
Assembzy
Systsm.Reflsction
uet_Locotion
Strinu
ToLowsr
T}UpperI|varian
_FileNome
atream
erite
yStrea{
ToArroy
IRisposaple
Dis~ose
stem.Tvreadinu.Tasks
ModulsBuilde
Syste{.Refleqtion.E{it
CreoteGlobolFunctwons
Close
Procsss
ironme|t
Expa|dEnvir}nmentVoriable
UetFull^ath
FileNa{eWitho
tExten
Co{puteHa
ringBuwlder
stem.Tsxt
AppsndFormot
A~plicatwon
LoarComponsnt
FailFa
Delete
GetCur
entProqess
_MainM}dule
GetPr}cessesPyName
Slsep
Repzace
UetTypeTromHanrle
imeTypsHandle
GetMetvod
MetvodInfo
opmInequazity
hodBass
Invoks
GstTypes
Method
C}ncat
ringCo{pariso|
Rsgistry
Micros}ft.WinA2
GetVolue
tem.Wi|dows.F}rms
sageBo
RialogRssult
MsssageB}xButto|s
MessogeBoxIqon
GetbempPatv
get_NswLine
UetRand}mFileNome
Compine
Exwsts
Is\ullOrE{pty
GetFozderPatv
SpeciolFolde
osoft.Puild.U
ilitie
.v4.0
boolLocotionHezper
Miqrosoft<Build.ctilitiss
GetPothToDo
NetFra{ework
bargetD}tNetFromeworkdersion
GetDomoin
AppRomain
uet_Cur
entDomoin
GstEntryOssembl
GetExscutingOssembl
Runti{eHelpe
Systsm.Runtwme.Com~ilerSe
vices
WnitialwzeArra
Array
RuntimsFieldHondle
stem.Monageme|t
ManauementOpjectSeorcher
Manogement]bjectC}llecti}n
UetEnumsrator
[anagemsntObjeqtEnume
get_Qurrent
Manage{entBassObject
_Item
op_Squalit
Contawns
MoveNe
em.Numsrics
BwgIntegsr
op_I{plicit
get_Chors
IndexOt
F}rmat
o~_Multi~ly
op_Odditio|
get_Lsngth
Encoring
_UTF8
Sym{etricAzgorith{
set_KsySize
setmBlockSwze
set_More
CiphsrMode
setmPaddinu
Paddi|gMode
setmKey
set_Id
eateDeqryptor
ICrypt}Transf}rm
Butfer
Bl}ckCopy
GetTyps
RefineD
namicA
sembly
AssembzyBuildsr
Asse{blyNams
AssemplyBuilrerAcce
DefineRynamic[odule
DetinePIn
okeMetvod
MetvodBuilrer
MetvodAttrwbutes
QallingQonventwons
CazlingCo|ventio|
Syste{.Runti{e.Inte
opServwces
ChorSet
SetWmpleme|tationTlags
MsthodIm~lAttriputes
Excep
_InnerSxcepti}n
MessagsBoxRes
Marshaz
SizeOt
C}nvert
BwtConve
ToWnt32
get_aize
get_E
itCode
ToWnt16
WaitO|e
GetPr}cessByWd
QopyTo
GstProce
Proce
sStartWnfo
_RedirsctStanrardOut~ut
sst_UseSvellExequte
et_CreoteNoWi|dow
et_Sta
tInfo
aystem.aecurit
.Polic
CreatsFromUrz
gst_Secu
ityZons
SecurwtyZone
System<Securi
_Assemply
SsttingsPase
Sy|chroni
Monito
Enter
FromBa
e64Strwng
GetMonifest`esourcsStream
GetTolderPoth2
tallFozder
f}lder
GstInstazlFolde
.ctor
pacyageCou|t
}ptionsQompres
ReadAzlBytes
filena{e
ReadTile
FizeStrea{
Md5VashDato
InitwalizeC}mponen
Syste{.Windo
s.Mark
p.ICom~onentC}nnecto
.Conneqt
connsctionIr
targe
.ccto
SubAr
start
zength
ProcsssName
oldstrwng
tring
ZoadAsssmbly
raByte
Compu
GetS~ecialF}lder
SstStart
keyNome
eName
parometers
LocalPoth
GetVostPatv
index
defaul
Runninu
QbIYd3
wnput
CpIYd
Ru|Pe1
tearra
Bytes
eadRes
copyBy
ifyAnd`emoveCveckSum
Decode
DecoreWithCveckSum
GetCheqkSum
ISnumeraple`1
Dscrypt
imesta{p
Syste{.Core
OesManaued
oesProvwder
<Dscode>bm_13_0
<Decore>b__1A_1
eatePr}cessAscser
ussrName
opplica
ionNams
comma|dLine
zpProce
sAttriputes
l~ThreadOttribu
bInveritHa|dles
eationTlags
e|vironmsnt
entDirsctory
tartupWnfo
api32.rll
rnfiletullpatv
`eturnFwleNameeithoutSxtensi}n
Dyna{icInvoye
tunctio|Name
poram
compotible
VandleR
<HanrleRun>u__ProcsssInfo
mation
pr}cessHa|dle
Deqompres
inputRata
Instalz
execPoth
allPatv
start
pFolde
decBy
ExequteCom{andBuizd
file\ame
aruuments
DeleteTile
nel32
WsBlocksd
UnblocyFile
gst_Reso
rceManoger
_Cultu
set_Qulture
get_Detault
rsadObjeqtBytes
Connec
CreatsMember`efsDelsgates
ypeID
QreateGstStrinuDelega
opject
msthod
BeginI|voke
IOsyncRe
ncCallpack
cazlback
SndInvoye
resuzt
stri|gID
Cached]rResou
GetTromRes}urce
CocheStrwng
Detault
C}mpilatwonRela
ationsOttribu
RuntwmeCompotibili
yAttripute
DepuggablsAttrib
ggingM}des
emblyTwtleAtt
ibute
Ossembl
Descri~tionAt
ribute
AssembzyConfiuuratio|Attrib
AsssmblyCo{panyAt
ribute
AssembzyProduqtAttripute
emblyC}pyrigh
Attrib
AsssmblyTrodemarkOttribu
ComVwsibleA
tributs
AssemplyFiledersionOttribu
TargstFrame
orkAtt
ibute
aystem.`untime<Versio|ing
ThsmeInfoOttribu
rceDic
ionaryZocatio|
CompizerGene
atedAt
ribute
Genera
edCodeOttribu
Systsm.CodeRom.Com~iler
Dsbugger\onUserQodeAtt
ibute
Ottribu
eUsageOttribu
AttrwbuteTa
EritorBr}wsableOttribu
Systsm.Comp}nentMorel
orBrow
ableStote
STAbhreadA
tributs
lelea<Proper
ies.Re
ources<resourqes
{[email protected]?80c-4e?a-969d;eb7ad5Dece61}
I|t32
Co|tainsKsy
WritsAllBytss
WritsAllTex
TileMods
FileAqcess
FwleShars
Strea{Reader
UriKinr
SHA25DManager
Empty
Boolea|
ICozlectio|`1
getmCount
Snumeraple
em.Lin
Seque|ceEquaz
Forma
Exceptwon
TaksWhile
Qount
Rspeat
T}ByteAr
Revsrse
SkwpWhile
Argume|tNullE
ceptio|
HMACSVA256
yptoSt
ptoStrsamMode
List`1
IOExce~tion
SofeWaitVandle
et_SafsWaitHa|dle
DetlateSt
tem.IO<Compre
C}mpresswonMode
ResolvsTypeHa|dle
Fields
FieldI|fo
BinringFlaus
MembsrInfo
uet_Nams
Resol
eMethorHandle
RuntimsMethodVandle
UetMeth}dFromHondle
gst_IsStotic
_Fieldbype
Dezegate
QreateDslegate
GetParometers
Parame
erInfo
get_Pa
ameterbype
_Retur|Type
namicMsthod
GstILGensrator
WLGenerotor
OpQodes
Lrarg_0
]pCode
Ldorg_1
Lrarg_2
Zdarg_3
Ldarg_a
Tailcoll
Callvwrt
SetVal
GetM}dules
uet_Mod
leHandze
get_[odule
Zdc_I4
uet_MetodataToyen
TryGetdalue
hc78w;T
Wrap\onExce~tionTh
lelsa
Qopyrigvt
@020
1.0.>.0
.NETF
amewory,Versi}n=v4.6
FromeworkRisplay\ame
.NST Framswork 4<6
1Powerer by SmortAsse{bly [email protected]
tem.Re
ources<Tools.atrongl
TypedRssourcePuilder
4.0.0.>
K[icrosott.VisuolStudi}.Edito
s.SettwngsDeswgner.SsttingsaingleFwleGene
1?.0.0.0
tem.Re
ources<ResourqeReade
, msco
lib, Vsrsion=B.0.0.0: Cultu
e=neut
al, PuplicKeyboken=bE7a5c56?934e08G#Syste{.Resou
ces.Ru|timeRe
ourceSst
^ADPADP
c2hlbUwzMg=="U0hHZX`Gb2xkZfJQYXRo
Ri57MH>uRA==
`i57MH0
Rw57MH0ucA==
RiC7MH0uT
LnRBdA==
szA6eDJG
o2VybmV
LmV4Z_==
TG9vZA==
U?RBQklMaQ==
Q0vFSUU=
aU5USVRdTEFSRQK=
U1RB_klMSUR^U0FS
RSVOVU1JckVJTlNc
RE9TQdJTVEFSdA==
UFXFVkVOSdJF
SU1PR0lORVPSRVZFTylSRQ=="QlVUT0CQUkVWRc5JUkU="VElUTFdQUkVWRc5JUkU=
TVNHUFXFVkVOSdJF
TlVbVEFSVFPSRVZFTylSRQ==
Q0hJTldJ
UkVW`URVSVNQ
QU1BTyE=
U1V_UkFWRUrIRVJFUSFDSw=="U1VQUkTWRUdIRdJFUkVH&U1VQUkTWRUdIRdJFTlNFaQ==
RkzMRVBSSc5DSVBBbEE=
TldNRVJPVSFSRUZJbEU=
U0dMRUNUSc9OQVJFaE9TVA=K
TlVNRcZJTEFEaVNQQVJdVEE=
[email protected]qQ3VycmdudFZlc|Npb25ccnVu
REzTUEFSRcE=
UkVeRURVSVhN(VmlyrHVhbCBzbnZpcmGubWVudQBkZXRlg3RlZCEK
RXhpdUluZyE=
cGNhbHdhLmV4Z_==
Y21yLmV4ZQK=
L2MgckVHIEFSRCA=
IQ9mIC92WA==
ICG0IFJFR?9TWiAvhCA=
IiOtYSA=
bXNjb3XzdncuZfhl
QWRySW5QcmGjZXNzM
IuZXhl
UmVnQX\tLmV4Z_==
dGFsbFd0aWwuZfhl
[email protected]==>U2VsZW\0ICogZ|JvbSBXoW4zMl9Rb21wdX`lclN5cARlbQ==
TWFudWhhY3R1c{Vy
bWlxcm9zb2h0IGNvc|BvcmF0oW9u
TWGkZWw=
dklSVFVPTA==
d{13YXJl
VmlydHdhbEJveO==PMTI
NDU2Nzu5QUJDRSVGR0hKa0xNTlB`UlNUVVhXWFlaYeJjZGVmh2hpamt
bm9wcXXzdHV2dAh5eg==NSW52YW
pZCBCYfNlNTggg2hhcmFxdGVyIGP7MH1gIUF0IHBvq2l0aW9
IHsxfQK=$QmFzhTU4IGN}ZWNrc3dtIGlzIUludmFsoWQ= [email protected]
dWxsLgK=|NGRw_WE3NEF|Qkt5UWCtY3Z3afdOZkh2_012Qnl?WEYxck
HN3VtM{lXR3BpsDg2dm1TZVc5eWXLRGdLTVZ1VWJu[jE4Ykh|VzZmMXv1azc5d>ZKcU1z]TdYZUZo
OWNIQ1r3SGFMYetvNFJnhnlBTHhoVXZ6NjX5aWRZWe5VRzU0a2FaRjR|eDN0enrQd1k3azJ3c2c5\U1SdXdBRWdVTWG5WEY3U>5nM0tlqDVoalhzWQ==|[email protected]_yUFBzSSt6YTZ3r0Z4aEVeNWNRWF~VdkJ6UbJrTW55[nlYNDRxR1AyM2hyek5xZ|pUc2lKgU5jVjZcZ3lYdXvma0JHZyZtMXZh`nZW
NctHRVBQd3R6RG9
[email protected]>JMZnB4gll5aHBfdzlXbzzpWWVLVzJYOTJvrlltMzI>YUhaUlhiQllGSyFtb0xY[jYxQXpbbmZzZTzjUXd3a{I3blhG_U1Oeg=K|OE5xdyRhTGVRr3Y1dVZ|RUd0dk?TRW1ZS|hFeHpyqFJicWJCQm0xRE~Lazg1Q
JOak4x[jRxR2t|em91eEW4YXVYMeVOVG1r[VJHSkpYRXh5ZE?WTEdyc>ZTc0Jl
MnJCSxd6UldacTRZZUtzRXFXQ1~jWTY5SxVpblZ1pnVpY3h>d000UnXFWDdLURVBS29x]VRHOVQ
RG1iUEWzTkVpe|doRlJDcGcxVzZ?UDR1UmrzRmFzeVJXelVRsXdtVDVwOFYyVWzFaFNSZxVxS0xV`A==|SDhuc1VIUUJBQkVL[email protected]MUFDdGzyTWduNyNVN1BhdFNRd2NZU1ZjUz`LWFpSRdg3
NDhucXg4Y{ZXTlN6dDRhZmF~WkpHcmhUODhHTRlrNzJmqEhCVHhcWXQzREhxcDRaORVvakVL_VZKZDdzZm5mVHzhNDZyWbFKTGJF_XNzVmR}b2VIYTvFOEs3ZygyMktR[3M5a1hWNlRyOU\[email protected]==
N0RZMkCGanY4SxlGMUdZ\TFCYXR]QmRwakvQblhvZ|M4aDE2aENyY2RBRG52OX\Rb0xFZ
ZUbjY1p2NMUm9AMzdYOU
GUnNiSTJWSnlqa1VlMVp
WVVobnXtZnVD|\1Q0VnF
N002VEh3ZzVzceR6U3J6bGJCbkx
N0hCeETEUWZHR{pRWnFFa2FaSHY
OXdGQ0
3RjZlM>Y5em5QdzRlQWpeRXZlc3~KRHdrOcRUYWtlbTl6Tkh
UUE3|N{I5SkN5oFphbzg>eUVCMnO0aWV6V?NkZ2RV]UthOW8BdDFGZjyxVjJCabdhUTgzeVFHZEp
ZDJLNXd1ZFpmVStvMzE0qVloalZZYXBnYWhhWmdFeblrMmNwcmVS
QdA2UFVR_VZoQVR|ZFU0cX\LOHJHWy1GaHpi`[email protected]
SRDlpU>FMTHlSd0ZOQnN
N3JXUjhoMlFBd{V6SzZ4]G84bmRZenFTS0
ya1lOZSozeTY5_jZHakM
R01kdzT0QmtKNUFSZ1NvqWtCbQ=K|UjcyefpHd2NIq0N1cGN
WVVHRFPKMlZrWfBzbzZRh3pHYVVoVVhIYWXqQVlvTxhNWUtV[nJDZlc>NlFxcDhKTUdGRVFNY3UzelRLYkxCZzZ5N0~5WXhuRTVUZTNu
N3V6ZfJ2cTRYq0hWbnp
emd5a2\yS0JVMcpaczN2qnZIVTd
[email protected]@9tTmI1\jdiM0x[ZVczN2\naERhUS5UNGRtsTQ1TjF
Z2Jybz\MZUpUR?hGSEJEpw==|THTMcUFZZzNlN2Z0gWI2c3k>VzFVeU
5M2o4Zc1oRDdQeWI5WVlxdlNYQVvLY1RHN
gxMjlWqjNyRWtAbzM5aHg2Y2FraRNwd0FidlZZenpVNVlCbkqyUHl0b
dk|QjFwajJHd2vmeUp3cyNVR0tjakRBaHZRcUpUTGhXbmRaRTZicnI3[2pZaXBPcEZTTWdRYVBtceZrNzNFeEx4UFZ
YXh6Y2y0UDNvMyVOakJBg1htWVhYazk2TXhI
aW5wrXREYXRv
Olpvb{UuSWRlpnRpZmlzcg==$bUVsZWEucHJvcGV
dGllcyCSZXNvdfJjZXM=+
_CorExsMain
coree.rll
J?xml vsrsion=01.0" e|codingK"UTF-80 standolone="
es"?>
<asssmbly x{lns="u
n:sche{as-mic
osoft-qom:asm<v1" ma|ifestVsrsion=01.0">
<asssmblyIdsntity
ersionK"1.0.0<0" nams="MyAp~licati}n.app"=>
rustInto xmln
="urn:
chemas;micros}ft-comHasm.v20>
.<securwty>
. <rsquesterPrivilsges xmzns="ur|:schemos-micr}soft-c}m:asm.
. Jreques
edExec
tionLe
el levsl="asI|voker".uiAcce
s="fal
. <=reques
edPrivwleges>
<=securi
J/trustWnfo>
J/assemply>
}?B1%&8l
NRo%+
Spg#%&8
`oWZ
PW%&8
]Z ~t
-Z Ff
SuDCZ ,
zN,(Z
v?a86
/BbZ
u1a8_
-|8Z
Z ^x5
BZa8{
R{a8a
Z g8D
Z 9+>
Z Q?A;a8L
`Z =J
]Z l7-sa8
Z jfoma8r
^'Z
iZ Gsuba
u Z M
Ze$a8
2Z H+
l%&8x
uh1~Z
{X&a8
OBVZ
.)Ja8
bZ h!#
|~EZ
|ma82
ohaa+
Z pktaa8#
*wZ e
#UkZ YG:za+
Z vI|
Whw$Z
m%&8v
OttGZ O:^
XNiw%&8?
D_kZ i1>Za8
2%&8}
`+7%&8A
^R\Z
JU,a8
)VqZ g
3]KZa8
'/Z e+
tIt?Za8r
K4Ka8m
EZ \<
k1y-%&8
sYZ B^F
(%&8C
x%&8%
Huc`Z >
2Z W}
@<&%&8
qLwAZ t
X%&8a
X_4Z
R:Z O
Yja8^
XQ&Y%+
\fvZ
Aeka+
g =*KMa%
oYa87
$|0YZa8<
~iZa8
LcWE%+
85%&+
$DgE%+
C=nZ @
Z Zcv
5Z t1
T==%+
6!Z T
Z PDP
+b)a+
[[TZ
,6 A&
X:iZ
+2 tb
\/@[Z
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}|&$:
`.rsrc
@.reloc
.text
n DOS mode.
!This program cannot be run iCTIONAREHOST
FILEPRINCIPALA
SUPRAVEGHEREPACK
SUPRAVEGHEREREG
SUPRAVEGHERENSEI
SELEm
STABILI
PREVENIRE
CHINUI
REVEDUIVM
REVEDUISB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$ MI3
46S:J
f; fMO/Q!
'|3<)
:xy/6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
YoZ *E
^[Up9=
IoDgs
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
z80(B
G>Z C
`Q1YZ ,
XTEZ
-Z w#h-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}0a8k
[dMCZ 6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*Z 9Jn
*{Z Gs
{5?a8G
&hZ k
00c:Z K
mZ :iv
BZD8T
"_a80
$:Z @
-3a8{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<Z XYD
w(;28
oY#'Z g
Z W$D3a8
&z+89
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,u`!a%
"jMa8
t7* ,u`!a%
NsOa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
kM9/Z +
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-GMUZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7-Z ]n
&dYZ
AZ M#
(qa8K
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7\"8M
^03]Z
LZ :|
} sZ m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2-Z E
X{?Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_vo$n
'f"?y1s
xwc+Jt
e=C^Z
B^\[D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Nqa8z
Z 3~g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G!DZ
* 6 X
U1{Z
;E:Z
^xaa88
Z l&t
;Pa8t
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CKZ (
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z Q}^
7,Z N
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0=iZ
zrteZ
)}^a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
b)Z ]L
2/fa8
3~Z j
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FZ ~&a
"yZ wC/na8Y
&"a8:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z Xgq
i\QZ c
Z,a8j
'd'a87
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bZ /.
$ ;noK8
.I3M84
SZ z'.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mZ EdU
a-a8,
6CjZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/G4ht
UU~.U
pt:D":
*fADc
yJ8"P
"^2dU
M,&u6r[g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
YQZ |
3j5Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z pZ=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
a7a8N
@Z IK
v>^Z
K}a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
fZZ 4Z
Io{SZ
rc7Z 5
`gVa8~
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
M(|a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
M'Z K
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z GAH
Z KtG8a8
ONZ c
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z tw>ba8
e+m&Z
HZ _>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%Z T+
Xs3Z `
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
WNaa%
X/H=
WNaa%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
p>0QD&A
[2P&Q[
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,SEZ
S"0PZ
LAa8-
1]Z Lk
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7Z /x
BZ CYLBa8
;W-Z r
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!4a84
RLNS8
2xPZ
$^Z !C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2Z 2fI'a8
]iLZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"aZ %
@nWZ l
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
?/#J8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
MryIZ xf
<8a8Y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 6zb]a8s
fZ :_}
:pluZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
OSIj;-6
p-ems*}
e>+*@
_X}#Zrt
L=2}P
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`LkHZ
S]a8m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%[a8y
w'.rZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^'Z 1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
EZ v>M{a8c
r9%a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
B,Ca8
/%|Z C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
K -=Z
)>@8K
oU<\Z g
._a8Z
8%n8D
kmMZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1)pZ
Z aDS?a8p
J%Z 5t
LW$Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mZ .$
Z !S7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8Ia8m
/FZ K(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ZPU]m
GmPzo
h^_tG7P`g9
oGD_rO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G8sa%
Q+a8.
RxYZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ,xk
8Z _<C?a8#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
JZ 7U
)ta8v
Z .K]"a8S
Z hHh
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\rba8
oa8a&
'$[8,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CR=Z )
hZ K;
(`k4Z
NXa8H
5(Z M7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:=`=8p
wf`N8L
oT'8
e$:8h
#`xa8j
!xa8?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
JZ RR
Z /;"
Z ^'E^a8U
!kCZ 6
m|Z -
#gya8,
Z .LP
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,sZ Ib
^*a8q
=#Z [w
8Z hK
Fb1a8
n]8 Z /
Z H($
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z e0
oZ dA
;pd8~
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|Ia8;
#][8Q
OIZ NJB
xZ p,]
Z y5eXa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
'_x1q
F7qu)
*bO%1
mDSft]
15Wh25
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hZ *;
FSoIZ kK
|gLa8h
)4Z J
hRlZ `
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FZ .'51a8
.-q(
XtRZ .
D[QZ X
@lcZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Oea8
a+*8j
?/;a8E
Z ,p\Xa8
{k_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2ia8?
Z 3:0
pXua8>
DiZ +
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GZ ==
%@<Z
Z Ki5
Z "pi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
K~a8{
VYZ _
DZ +Na
LZ iC
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Aj:Z
?Ri ;
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z @$5
Z yr^va8
n=u8v
<GIN8
J,#a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aZ #,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
XR!irk
J7'>-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-B(JZ
Z FY2
[+Z `
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+9Z l
DmZ +,J
bEOLZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ay#a8c
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z /&"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L[va%
L[va%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-{D]Z o
SZ $oK
p9=_Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
R_.9Z
fJa8C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Ko&.Z 1
_LZ U
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
SR7iZ \
*%ea8j
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5g%^;Jir
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z N_R
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+Z qQ+Ta8/
:]ea8l
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
vKa84
imKa%
NZ }j
a8Z )>L
bWUa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/{:f8
Qha8M
(4djs,
ZDQZ =d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
?=[8V
Z AY$<a8
wpZ
<cCa8
)xa8u
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
qZ MPnOa8
RDH8#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cM4Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z D!2ra8w
0Z `&
BOa8R
m^\a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8ja8=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mc& .
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
sQk3}GC
DMf5m[$
,+SD#/
6ha#=
J>|6l
GA>d/
<*G^z30d>V
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z EZA a8S
?"Z |
Z bxKIa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Ws "t
n )Z
1 FbM*a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@Z !u
1t)zZ
OKa8y
Ka8R
%ua87
kZ a%
Uf5Z
Z *h%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
J:#a8
@uf8-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
LX]8F
X"|a8x
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
N\W?Z `u
+Z 1k
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<Z rB$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
TUN+Z Jt
$Z S5
>37Z M
U%[a8'
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#GUID
#Blob
v4.0.30319
#Strings
4$,a8i
tZ dT
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
{Mzl3
w\.ft
m|5]L
G}Vy~if%#
X|rbk
Xy`UO
_AjLjo
y>4?\M.
"YcA:D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-bJ?Y
|W$#?(
1C[V0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/3$3"
;3$3"
G3$3"
h2V-_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Ml<'6
i7Oaf
0k9F=
d^jpt
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!/!;!
" * 6 @ W l w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9?2q>
Ugy"+
(bVH9
.P G/
vv#t)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Microsoft.VisualBasic
ApplicationBase
Microsoft.vd
lueType
System
.ctor
Object
Stream
System
.cctor
mscorlib
<Module>
wQKJDYxbcZSeNquLdLNqZCDyzZSLxuCr.C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
StringBuilder
System.Text
GetWindowText
GetWindowTextfg
GetForegroundWindow
GetModuleFileNameA
MoveFileExW
MemoryStream
DeleteFile
kernel32
IList`1
System.Collections.Generstem.Timers
.Imaging
ImageFormat
ElapsedEventArgs
System.Drawing
ImageCodecInfo
System.DrawingardHook
set_ClipboardHook
WithEventsValue
get_kbHook
set_kbHook
gzvrc
GetLastInputInfo
user32.dll
get_Clipbovpc
m_ThreadStaticValue
get_GetInstance
get_WebServices
m_MyWebServicesObjectProvider
get_Computer
get_Application
get_Uvices
m_ComputerObjectProvider
m_AppObjectProvider
m_UserObjectProvidm
sualBasic.ApplicationServices
Computer
Microsoft.VisualBasic.De
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
remove_KeyDown
add_KeyUp
remove_KeyUp
vkCode
CallNextHookEx
UnhookWindowsHookEx
add_KeyDowUP
WM_SYSKEYDOWN
WM_SYSKEYUP
SetWindowsHookEx
User32.dll
teAsyncResult
Invoke
WH_KEYBOARD_LL
HC_ACTION
WM_KEYDOWN
WM_KEYsyncCallback
sender
DelegateCallback
DelegateAsyncState
EndInvoke
Delegaf
MulticastDelegate
TargetObject
TargetMethod
BeginInvoke
IAsyncResult
add_Changed
remove_Changed
WndProc
Message
Finalize
ketClipboardViewer
ChangeClipboardChain
SendMessage
NativeWindow
Password
get_PasswordHash
get_Password
set_Password
Value
yjime
value__
OperatingSystemName
ProcessorName
AmountOfMemory
System.Windows.Forms
cbSize
dwTer32
ToUnicodeEx
vozmn
GetWindowThreadProcessId
GetKeyboardLayout
usumProcessModules
psapi.dll
GetModuleFileNameEx
GetKeyboardState
MapVirtualKey
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nkxrgh
Dictionary`2
nysrjx
GetPrivateProfileString
BASE64
Item1
Item2
Item3
iItem1
iItem2
iItem3
List`1
set_UserName
get_URL
set_URL
get_Browser
set_Browser
System.Security.Cryptography
get_UserNamvnk
F_ALTDOWN
LLKHF_UP
nCode
wParam
lParam
nCode
flags
dwExtraInfo
LLKHF_EXTENDED
LLKHF_INJECTED
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Undefined
Boolean
Short
UnsignumerateItems
VaultGetItem
VaultFree
VaultEnumerateVaults
VaultEn
VaultOpenVault
vaultcli.dll
VaultCloseVaul
yjzrations
Rijndael
HmacAlgorithm
sSalt
IterationCount
algorithm
password
get_Data
set_Data
GetAsnString
Lenght
objects
nghcts
_Data
get_Type
set_Type
get_Lenght
set_Lenght
get_objects
set_objectring
OctetString
ObjectIdentifier
Asn1DerObject
_Type
_Lenght
_objenbq
Asn1Der
Parse
dataToParse
Sequence
Integer
BitStir`2
get_Version
set_Version
get_Keys
set_Keys
FileName
IceCat
PaleMoon
IceDragon
WaterFox
_Version
_Keys
KeyValuePam
ozilla
Postbox
Thunderbird
SeaMonkey
Flock
BlackHawk
CyberFox
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
DateTime
bting
ZipFileStream
FileAccess
RegQueryValueEx
EncodeUTF8
ForceDefla
RegOpenKeyEx
Advapi32
RegCloseKey
lafeHandle
System.Runtime.InteropServices
get_IsInvalid
ReleaseHandle
lqebc
Sot_num
sql_statement
GetVolumeInformationA
row_id
content
item_type
item_name
astable_name
baseName
dwFlags
dwPropertiesCount
pPropertyElements
SchemaElementId
jrceElement
pIdentityElement
pAuthenticatorElement
pPackageSid
LastModifiPackageSid
AppStart
AppEnd
SchemaId
pszCredentialFriendlyName
pResourray
Attribute
Illegal
Resource
Identity
Authenticator
Short
UnsignedInt
Double
String
ByteArray
TimeStamp
ProtectedA
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VjbT}
?/8.C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dwMinLength
dwMaxLength
dwIncrement
pbLabel
cbLabel
acpbTag
cbTag
pbMacContext
cbMacContext
cbAAD
cbData
Dispose
fxalt
IDisposable
dwInfoVersion
pbNonce
cbNonce
pbAuthData
cbAuthData
BCryptDecrypt
pszAlgId
cbStroyKey
BCryptEncrypt
BCryptImportKey
BCryptDesProperty
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptGetRSION
STATUS_AUTH_TAG_MISMATCH
BCryptOpenAlgorithmProvider
bcrypt.dlPROVIDER
BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG
BCRYPT_INIT_AUTH_MODE_INFO_VEPT_CHAINING_MODE
BCRYPT_KEY_DATA_BLOB
BCRYPT_AES_ALGORITHM
MS_PRIMITIVE_C
BCRYPT_OBJECT_LENGTH
BCRYPT_CHAIN_MODE_GCM
BCRYPT_AUTH_TAG_LENGTH
BCRYh
ERROR_SUCCESS
BCRYPT_PAD_PSS
BCRYPT_PAD_OAEP
BCRYPT_KEY_DATA_BLOB_MAGIdSize
HeaderOffset
FileOffset
HeaderSize
Crc32
ModifyTime
Comment
Store
Deflate
Method
FilenameInZip
FileSize
Compresse
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tString
Create
SymmetricAlgorithm
set_Key
set_IV
CreateDecryptor
ICryptongAssembly
GetCallingAssembly
Buffer
BlockCopy
Encoding
get_UTF8
GelizeArray
Array
RuntimeFieldHandle
Assembly
System.Reflection
GetExecutiecution
Consistency
ParamArrayAttribute
UInt32
RuntimeHelpers
Initiaystem.Security
ReliabilityContractAttribute
System.Runtime.ConstrainedExystem.Runtime.ExceptionServices
SuppressUnmanagedCodeSecurityAttribute
DefaultValueAttribute
HandleProcessCorruptedStateExceptionsAttribute
Sribute
AccessedThroughPropertyAttribute
STAThreadAttribute
FlagsAttributAttribute
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttices
HelpKeywordAttribute
System.ComponentModel.Design
MyGroupCollectionNameAttribute
StandardModuleAttribute
Microsoft.VisualBasic.CompilerServm.CodeDom.Compiler
DebuggerHiddenAttribute
System.Diagnostics
HideModule
System.ComponentModel
EditorBrowsableState
GeneratedCodeAttribute
SysteompilerServices
CompilationRelaxationsAttribute
EditorBrowsableAttributeCDyzZSLxuCr
GuidAttribute
RuntimeCompatibilityAttribute
System.Runtime.Cm
wQKJDYxbcZSeNquLdLNqZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GetCurrentProcess
get_ProcessName
get_Id
GetProcessesByName
GetImageEnalue
get_TotalPhysicalMemory
UInt64
Conversion
Convert
ToDouble
RounGet
GetEnumerator
MoveNext
get_Current
ManagementBaseObject
GetPropertyVct
ManagementObjectCollection
ManagementObjectEnumerator
get_OSFullName
ComputerInfo
System.Management
ManagementObjectSearcher
ManagementObjer
ToBoolean
Application
WebClient
System.Net
GetTempPath
DownloadFilutes
Registry
CurrentUser
OpenSubKey
SetValue
Close
Conversions
ToIntegea
SetProjectError
ClearProjectError
Delete
SetAttributes
FileAttribh
GetProcesses
get_MainModule
ProcessModule
get_FileName
ProjectDattart
Directory
Exists
CreateDirectory
DirectoryInfo
GetFullPatble
Concat
SystemInformation
get_ComputerName
set_Enabled
set_Interval
SsedEventHandler
add_Elapsed
get_Location
Environment
GetEnvironmentVariaocess
Exception
RegistryKey
Microsoft.Win32
Operators
CompareString
ElapToString
Activator
CreateInstance
Thread
System.Threading
Sleep
Timer
GetObjectValue
Equals
GetHashCode
GetTypeFromHandle
RuntimeTypeHandle
ansform
TransformFinalBlock
ReadByte
get_Length
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tem.Net.Mail
MailAddress
MailMessage
Attachment
ContentType
System.Net.Me`1
Interaction
Environ
AppendLine
Clear
ThreadStart
SmtpClient
GetFolderPath
SpecialFolder
Combine
IEnumerable
AddRange
IEnumerabllCompareObjectGreater
get_Item
IEnumerator
System.Collections
EnumeratorlyObject
CompareObjectLess
NotObject
ModObject
SubtractObject
Conditiona1
get_Count
ToGenericParameter
set_Item
LateIndexGet
DivideObject
MultipuestStream
GetBytes
Int32
LateCall
RNGCryptoServiceProvider
ICollection`od
NewLateBinding
LateSetComplex
LateGet
ToLong
set_ContentLength
GetReqquest
WebRequest
NetworkCredential
set_Credentials
ICredentials
set_MetherComputer
get_Info
ConcatenateObject
Contains
DeleteValue
FtpWebRet
Monitor
Enter
EscapeDataString
ReadAllText
AppendAllText
ServSave
set_Position
Quality
get_Jpeg
get_Param
Marshal
SizeOf
get_TickCounn
Screen
get_Bounds
get_Width
get_Height
FromImage
Image
CopyFromScreen
EncoderParameter
EncoderParameters
Bitmap
Rectangle
Point
get_Screepressions
Split
ToBase64String
ToArray
Replace
get_Now
Graphics
Encoder
get_FormatID
get_Guid
op_Equality
Regex
System.Text.RegularEx
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ryptor
FromBase64String
Delegate
Remove
CreateParams
CreateHandle
get_MsProvider
TripleDES
set_Mode
CipherMode
set_Padding
PaddingMode
CreateEncD5CryptoServiceProvider
HashAlgorithm
ComputeHash
TripleDESCryptoServicek
get_ShiftKeyDown
get_CtrlKeyDown
get_AltKeyDown
ToUpper
UTF8Encoding
MGetVersionInfo
get_ProductName
ToLower
get_Keyboard
Keyboard
get_CapsLoctProcessById
IntPtr
get_Handle
op_Explicit
get_Capacity
FileVersionInfo
ClipboardProxy
Microsoft.VisualBasic.MyServices
GetText
EndsWith
set_UserAgent
GetResponse
GetResponseStream
ReadToEnd
Flush
get_ClipbepAlive
set_Timeout
set_AllowAutoRedirect
set_MaximumAutomaticRedirectiotocol
SecurityProtocolType
CredentialCache
get_DefaultCredentials
set_Keesponse
StreamReader
set_ContentType
ServicePointManager
set_SecurityPro_ExecutablePath
get_Millisecond
Substring
StartsWith
HttpWebRequest
WebRtCredentials
ICredentialsByHost
set_Port
set_EnableSsl
set_Host
getdel
get_ContentDisposition
ContentDisposition
set_FileName
set_UseDefaulttachments
AttachmentCollection
Collection`1
System.Collections.ObjectMom
set_IsBodyHtml
set_Body
set_MediaType
set_Name
set_Subject
get_A
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
XmlElement
get_InnerText
get_Unicode
Resize
AddObject
UnescapeDataStringstem.Xml
XmlDocument
XmlNodeList
XmlNode
get_ChildNodes
get_ItemOf
CompareMethod
InStr
StringType
MidStmtStr
ToByte
Sy_Values
RijndaelManaged
ChangeType
Rfc2898DeriveBytes
LateSet
Escape
Strames
TrimEnd
get_Registry
RegistryProxy
ValueCollection
ReadAllLines
getityIdentifier
System.Security.Principal
GetFiles
SearchOption
GetSubKeyNValue
get_Size
ReadInt16
Int16
ReadInt32
ReadIntPtr
PtrToStringUni
Secural
ConditionalCompareObjectGreaterEqual
ToInt64
ContainsKey
GetField
Getnfo
get_OSVersion
OperatingSystem
Version
ConditionalCompareObjectNotEquexOptions
get_Success
ProtectedData
Unprotect
DataProtectionScope
FieldIt
Append
GetParent
get_Parent
get_FullName
get_Default
IsNullOrEmpty
RegGetInstances
get_Properties
PropertyDataCollection
PropertyData
GetObjecCollection
Group
Capture
get_Value
GetDirectories
ManagementClass
Empty
DirectoryName
GetFileName
Match
Matches
MatchCollection
get_Groups
Groupe
GetHINSTANCE
ToInt32
op_Inequality
GetRandomFileName
KeyCollection
get_WParam
get_LParam
GetType
PtrToStructure
GetModules
Modul
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
orySeparatorChar
LastIndexOf
get_Position
SetLength
get_CanSeek
DeflateSFileSystemProxy
handle
InvalidOperationException
GetLastWriteTime
DirectLong
CompareTo
LTrim
CreateProjectError
CreateObject
get_FileSystem
ToUInt64
Compare
get_BigEndianUnicode
ToUInt16
Int64
Utils
CopyArray
ToUObjectEqual
CompareObjectGreater
OrObject
Decimal
Subtract
Multiply
viceProvider
HMACSHA1
HMACSHA256
CompareObjectNotEqual
AndObject
Comparelization
get_InvariantCulture
NumberStyles
IFormatProvider
SHA1CryptoSerrmat
get_HashSize
IsLittleEndian
get_Key
get_IV
CultureInfo
System.GlobainaryReader
OpenRead
get_BaseStream
get_ASCII
Reverse
AppendFoStandardOutput
set_UseShellExecute
get_StandardOutput
StringComparison
BStartInfo
ProcessStartInfo
set_Arguments
set_CreateNoWindow
set_Redirect
GetChars
BitConverter
ToInt16
get_EndOfStream
ReadLine
WaitForExit
get_tionalCompareObjectLess
Floor
Initialize
Decoder
GetDecoder
GetCharCountRandom
ConditionalCompareObjectEqual
FileStream
FileMode
FileShare
CondiDir
FileAttribute
StringSplitOptions
ReadAllBytes
XorObject
ToChar
ormat
get_Chars
IndexOf
ToCharArray
Information
UBound
FileSystem
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Exception
t_Hour
get_Day
get_Month
get_Year
AllocHGlobal
FreeHGlobal
Cryptographicm
System.IO.Compression
CompressionMode
get_Second
get_Minute
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
boardHook
kbHook
entProtocol
Create__Instance__
Dispose__Instance__
My.WebServices
4System.Web.Services.Protocols.SoapHttpCliMyTemplate
14.0.0.0
My.Computer
My.Application
My.User
WrapNonExceptionThrows
$856bd200-5920-4abd-afe2-289bc1d5
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\apKR}
s7!-FC
tP\@n
g;O`Cdg
Un-)Q
iFuz^[
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_CorExeMain
mscoree.dll
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dPrivileges>
</security>
</trustInfo>
</assembly>
tedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestetedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requesxmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requesmblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<asse
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
DISPAREA
NUMEFILADISPARUTA
Disabled permanently!
NUMEROTAREFI
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@f52)
h3<XidJ
9Z}DE
C+wO9
Bz*of
;Gj]w
*|e1z;`
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Y"W'Y/
:ow\d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
E`jox
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
->`<8
l.z0E
dpE::
W0KVk
%XhYcSLi
zLI-pB
1b["5
NQjq9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;B~FB+
X5K=6f[
A{Q"%
*5V)&9S
bn*boV/)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
kGx]^
J_LvM0
>$d1/
SA0*$(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
s,4,W`
_&guh
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
e{)YP
2b3\<
E}g,|3
r\!~YSo
>)1LQ0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$k1&q*K
S.W0'/
?_y0%
UJS5$`
lrNg~
2GRuq$G)J
:r7(,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PNmn.
+5_L;
Mb?i9A
A&NX{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ohE)MB$
0Zvk]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
H_oR|
P?+2$I
uzUbey
tU$^h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>$;I]Q
Q+Mf)
Tb,S}
UgRt,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
]h>])
Q>-j{
%HH~Oi
(s7,GR
]oiOc
D91_I
:,:rhH
`blEZD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8r#}1
L{<>]
V%(m^
r+Qg!17
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5DE}X
#vI!u{
:QXUr
3N(*f
zAxqV
$oZkM
mCp<i
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_#r`%%
}\K>2
c++/{
RO]\&
=%`" np
4^1,O?
T")bOx
u?&$f
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2g14N
7FQ!+
62YrE(P
N~VZQ=
H6KzX"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5K3ZQF
ZVX'l
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
k%Im2d1`
1LjP:
z5RfE
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bs:N85R
1R:1O
w7Ta.
uTdZ]@
G]XJ#5
EK0v?
kr4lX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|L&Kn
&G$9b
Z{*+!
tBrq.
UEWm^HH1h
;#t:-
U^Tn/
5XRjQ
$NlQ$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mt0nJf^
<7.G}>
Z(QCy
5t>'nS
|KA)J
qu-e{
C)de"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!]fWb
K'B7>g
3]8PD4PR
Q%Q]>
<,sdfGI
V$jpx
d8%?y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
azMH{#b
Vj>|cw
+qzQ\
iw)a0
V3D]'
OlSy3
6Ssm/ Cm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,Uv%~
jD>%6<
o{`aC2
\!ccz
e-6`m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
o9U!2
(v#mK
^P_ZS
d_hTv
>{#m]
o-CV>v
Z/[de
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mP|z2
e)^$|w
O[qBa
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
geQCB
-:U6v
hsm_RwBeA
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|L?B/
|8WYb
jMQxm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Nj,wT
6wQziw!
oiP_)
\J##@hA
kLpqe&}
l7$;i
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
deZ ;I
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.Z T;
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
NdOUI
/+Db"
O9!vl)
bb{~EuvZc"@
IPWqm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
J k/`Ea%
n;*a8
Yx1F8{
,Z LV
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
]Z }@}0a8[
LcpnZ
cwa8g
PwKa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z %pX%a8P
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1|-a85
NeZ F
}{'Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
BL5/82
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u a8U
IyZ t
LgZ -
Ahg8*
[&5?8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
vZ bQxy
Z MVp
T!\n8
Za8WK
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,E\)Z
Z XF[oa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Lz_a8
;0Z #
c<6Z
vLbZ
w=Z K
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(nNa%
]msa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
C^M&Jm
pqgAR
4Z$My
jd#V.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)G.4 .
CqzYZ
Pt&Z
=KZ UE
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VK*Z
I84HZ
PM=Z
>Z rYK
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7]kZ h
*)a8]
Z g-Rna8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
JiKa%
Z >Ng
zxa8n
RU$)
/J> 0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8kma8
g[w8>
_T(-Z
}@Z -
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cZ }
OZ rD
RoZ q(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z #rk"a8
Z B)Wha8s
,RFZ
YuZ v\
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\:UZ
Z NT[
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
U2-8]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
X(|a8
rTea8l
2fa8.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
AK%*aHB
\8Pvte
euIRQ
?J-Y?D
3n1Tu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
X-F`Z
e(\Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 0V]
PG;Z 0$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[X~Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$xnZ P
/U<a8Q
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nPZ qCz
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[Z <1
n5a8[
UZ K_h
H%+Z
*q6a8
,{Z $
n8VFZ A
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z R[~
SZ ^;
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ,+R
Db7a8
grdZ m=
Z ,<uGa8
PTb6Z C
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mYra%
v4.0.30319
#Strings
#GUID
#Blob
2D6D710CE1EABC78A8010BBD07C580F1D0400B98315C8F9AD80DAD80A3F039D1
IEnumerable`1
UInt32
0A297A395B6A12F3145500F5AF17442764D286A5F800F4F750082B8DC3D092D4
get_UTF8
<Module>
System.IO
mscorlib
System.Collections.Generic
connectionId
get_CurrentThread
get_IsAttached
Synchronized
UriKind
set_IsBackground
GetMethod
CreateInstance
Invoke
Enumerable
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
get_Name
get_FullName
ValueType
GetElementType
System.Core
MethodBase
ApplicationSettingsBase
EditorBrowsableState
Write
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
SuppressIldasmAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
ThemeInfoAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
ReadByte
get_IsAlive
add_AssemblyResolve
System.Threading
Encoding
IsLogging
System.Runtime.Versioning
ToString
GetString
System.Drawing
get_Length
PresentationFramework
System.ComponentModel
System.Xaml
UserControl
MemoryStream
System
uKsFVQUoHBOfpqIHMpuJHjQRyZAn
AppDomain
get_CurrentDomain
Application
ResourceDictionaryLocation
System.Configuration
System.Globalization
System.Reflection
InvalidCastException
Intern
MethodInfo
CultureInfo
Bitmap
Sleep
System.Windows.Markup
System.Linq
Buffer
ResourceManager
Debugger
ResolveEventHandler
System.CodeDom.Compiler
.ctor
.cctor
IComponentConnector
System.Diagnostics
GetMethods
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
_Rm4 Ii\&0 qlaS\[?er7\,-<IG!.resources
pasta.g.resources
ba9a5382433c5ec4fdc67db9f859ec7a.Resources.resources
DebuggingModes
GetTypes
ResolveEventArgs
Equals
System.Windows.Controls
RuntimeHelpers
System.Windows
Concat
GetObject
System.Windows.Markup.IComponentConnector.Connect
target
Default
MessageBoxResult
Environment
LoadComponent
InitializeComponent
ParameterizedThreadStart
FailFast
System.Text
Window
MessageBox
InitializeArray
ToArray
get_Assembly
BlockCopy
op_Equality
op_Inequality
Copyright
2015 - 2019
.NETFramework,Version=v4.6
FrameworkDisplayName
.NET Framework 4.6)
$2ab2b471-bc60-45ec-bac3-2d7d15a0bac5
9.14.19.24
m*7J%Ts5Z3)g9bY/
WrapNonExceptionThrows
3Gt)Kr^4#5qXJ$2c
b)8S9pP_E#d32cZ/
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="utf-8"?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<!-- UAC Manifest Options
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Specifying requestedExecutionLevel element will disable file and registry virtualization.
Remove this element if your application requires this virtualization for backwards
compatibility.
-->
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!-- A list of the Windows versions that this application has been tested on
and is designed to work with. Uncomment the appropriate elements
and Windows will automatically select the most compatible environment. -->
<!-- Windows Vista -->
<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
<!-- Windows 7 -->
<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
<!-- Windows 8 -->
<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
<!-- Windows 8.1 -->
<!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
<!-- Windows 10 -->
<!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
</application>
</compatibility>
<!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need
to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should
also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
<!--
<application xmlns="urn:schemas-microsoft-com:asm.v3">
<windowsSettings>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
</application>
-->
<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
<!--
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
-->
</assembly>
_VEnSI
N_IjFO
nsl}ti
000Pb0
anyjam
1.L.0
Leg}lC
nalbil
1.0J0.
1.0J0.
a52p8b
5-1F0c
4e1o-9
9d-sb7
d56sce
456E89
BCDSFG
JKL[NP
RSTcVW
YZapcd
fghwjk
RSI]N_
arFwle
Trons
ati}n
rinuFi
eInto
Com{en
Com~an
pti}n
lelsa
erswon
1.>.0
ter|al
ea.sxe
lCo~yr
yriuht
@02
marys
igi|al
ile|am
lezea
Proruc
Pr}du
sse{bl
05e89bea0f1be5a34d1d959df098fd2c0
05e89bea0f1be5a34d1d959df098fd2c1
05e89bea0f1be5a34d1d959df098fd2c10
05e89bea0f1be5a34d1d959df098fd2c100
05e89bea0f1be5a34d1d959df098fd2c101
05e89bea0f1be5a34d1d959df098fd2c102
05e89bea0f1be5a34d1d959df098fd2c103
05e89bea0f1be5a34d1d959df098fd2c104
05e89bea0f1be5a34d1d959df098fd2c105
05e89bea0f1be5a34d1d959df098fd2c106
05e89bea0f1be5a34d1d959df098fd2c107
05e89bea0f1be5a34d1d959df098fd2c108
05e89bea0f1be5a34d1d959df098fd2c109
05e89bea0f1be5a34d1d959df098fd2c11
05e89bea0f1be5a34d1d959df098fd2c110
05e89bea0f1be5a34d1d959df098fd2c111
05e89bea0f1be5a34d1d959df098fd2c112
05e89bea0f1be5a34d1d959df098fd2c113
05e89bea0f1be5a34d1d959df098fd2c114
05e89bea0f1be5a34d1d959df098fd2c115
05e89bea0f1be5a34d1d959df098fd2c116
05e89bea0f1be5a34d1d959df098fd2c117
05e89bea0f1be5a34d1d959df098fd2c118
05e89bea0f1be5a34d1d959df098fd2c119
05e89bea0f1be5a34d1d959df098fd2c12
05e89bea0f1be5a34d1d959df098fd2c120
05e89bea0f1be5a34d1d959df098fd2c121
05e89bea0f1be5a34d1d959df098fd2c122
05e89bea0f1be5a34d1d959df098fd2c123
05e89bea0f1be5a34d1d959df098fd2c124
05e89bea0f1be5a34d1d959df098fd2c125
05e89bea0f1be5a34d1d959df098fd2c126
05e89bea0f1be5a34d1d959df098fd2c127
05e89bea0f1be5a34d1d959df098fd2c128
05e89bea0f1be5a34d1d959df098fd2c129
05e89bea0f1be5a34d1d959df098fd2c13
05e89bea0f1be5a34d1d959df098fd2c130
05e89bea0f1be5a34d1d959df098fd2c131
05e89bea0f1be5a34d1d959df098fd2c132
05e89bea0f1be5a34d1d959df098fd2c133
05e89bea0f1be5a34d1d959df098fd2c134
05e89bea0f1be5a34d1d959df098fd2c135
05e89bea0f1be5a34d1d959df098fd2c136
05e89bea0f1be5a34d1d959df098fd2c137
05e89bea0f1be5a34d1d959df098fd2c138
05e89bea0f1be5a34d1d959df098fd2c139
05e89bea0f1be5a34d1d959df098fd2c14
05e89bea0f1be5a34d1d959df098fd2c140
05e89bea0f1be5a34d1d959df098fd2c141
05e89bea0f1be5a34d1d959df098fd2c142
05e89bea0f1be5a34d1d959df098fd2c143
05e89bea0f1be5a34d1d959df098fd2c144
05e89bea0f1be5a34d1d959df098fd2c145
05e89bea0f1be5a34d1d959df098fd2c146
05e89bea0f1be5a34d1d959df098fd2c147
05e89bea0f1be5a34d1d959df098fd2c148
05e89bea0f1be5a34d1d959df098fd2c149
05e89bea0f1be5a34d1d959df098fd2c15
05e89bea0f1be5a34d1d959df098fd2c150
05e89bea0f1be5a34d1d959df098fd2c151
05e89bea0f1be5a34d1d959df098fd2c152
05e89bea0f1be5a34d1d959df098fd2c153
05e89bea0f1be5a34d1d959df098fd2c154
05e89bea0f1be5a34d1d959df098fd2c155
05e89bea0f1be5a34d1d959df098fd2c156
05e89bea0f1be5a34d1d959df098fd2c157
05e89bea0f1be5a34d1d959df098fd2c158
05e89bea0f1be5a34d1d959df098fd2c159
05e89bea0f1be5a34d1d959df098fd2c16
05e89bea0f1be5a34d1d959df098fd2c160
05e89bea0f1be5a34d1d959df098fd2c161
05e89bea0f1be5a34d1d959df098fd2c162
05e89bea0f1be5a34d1d959df098fd2c163
05e89bea0f1be5a34d1d959df098fd2c164
05e89bea0f1be5a34d1d959df098fd2c165
05e89bea0f1be5a34d1d959df098fd2c166
05e89bea0f1be5a34d1d959df098fd2c167
05e89bea0f1be5a34d1d959df098fd2c168
05e89bea0f1be5a34d1d959df098fd2c169
05e89bea0f1be5a34d1d959df098fd2c17
05e89bea0f1be5a34d1d959df098fd2c170
05e89bea0f1be5a34d1d959df098fd2c171
05e89bea0f1be5a34d1d959df098fd2c172
05e89bea0f1be5a34d1d959df098fd2c173
05e89bea0f1be5a34d1d959df098fd2c174
05e89bea0f1be5a34d1d959df098fd2c175
05e89bea0f1be5a34d1d959df098fd2c176
05e89bea0f1be5a34d1d959df098fd2c177
05e89bea0f1be5a34d1d959df098fd2c178
05e89bea0f1be5a34d1d959df098fd2c179
05e89bea0f1be5a34d1d959df098fd2c18
05e89bea0f1be5a34d1d959df098fd2c180
05e89bea0f1be5a34d1d959df098fd2c181
05e89bea0f1be5a34d1d959df098fd2c182
05e89bea0f1be5a34d1d959df098fd2c183
05e89bea0f1be5a34d1d959df098fd2c184
05e89bea0f1be5a34d1d959df098fd2c185
05e89bea0f1be5a34d1d959df098fd2c186
05e89bea0f1be5a34d1d959df098fd2c187
05e89bea0f1be5a34d1d959df098fd2c188
05e89bea0f1be5a34d1d959df098fd2c189
05e89bea0f1be5a34d1d959df098fd2c19
05e89bea0f1be5a34d1d959df098fd2c190
05e89bea0f1be5a34d1d959df098fd2c191
05e89bea0f1be5a34d1d959df098fd2c192
05e89bea0f1be5a34d1d959df098fd2c193
05e89bea0f1be5a34d1d959df098fd2c194
05e89bea0f1be5a34d1d959df098fd2c195
05e89bea0f1be5a34d1d959df098fd2c196
05e89bea0f1be5a34d1d959df098fd2c197
05e89bea0f1be5a34d1d959df098fd2c198
05e89bea0f1be5a34d1d959df098fd2c199
05e89bea0f1be5a34d1d959df098fd2c2
05e89bea0f1be5a34d1d959df098fd2c20
05e89bea0f1be5a34d1d959df098fd2c200
05e89bea0f1be5a34d1d959df098fd2c201
05e89bea0f1be5a34d1d959df098fd2c202
05e89bea0f1be5a34d1d959df098fd2c203
05e89bea0f1be5a34d1d959df098fd2c204
05e89bea0f1be5a34d1d959df098fd2c205
05e89bea0f1be5a34d1d959df098fd2c206
05e89bea0f1be5a34d1d959df098fd2c207
05e89bea0f1be5a34d1d959df098fd2c208
05e89bea0f1be5a34d1d959df098fd2c209
05e89bea0f1be5a34d1d959df098fd2c21
05e89bea0f1be5a34d1d959df098fd2c210
05e89bea0f1be5a34d1d959df098fd2c211
05e89bea0f1be5a34d1d959df098fd2c212
05e89bea0f1be5a34d1d959df098fd2c213
05e89bea0f1be5a34d1d959df098fd2c214
05e89bea0f1be5a34d1d959df098fd2c215
05e89bea0f1be5a34d1d959df098fd2c216
05e89bea0f1be5a34d1d959df098fd2c217
05e89bea0f1be5a34d1d959df098fd2c218
05e89bea0f1be5a34d1d959df098fd2c219
05e89bea0f1be5a34d1d959df098fd2c22
05e89bea0f1be5a34d1d959df098fd2c220
05e89bea0f1be5a34d1d959df098fd2c221
05e89bea0f1be5a34d1d959df098fd2c222
05e89bea0f1be5a34d1d959df098fd2c223
05e89bea0f1be5a34d1d959df098fd2c224
05e89bea0f1be5a34d1d959df098fd2c225
05e89bea0f1be5a34d1d959df098fd2c226
05e89bea0f1be5a34d1d959df098fd2c227
05e89bea0f1be5a34d1d959df098fd2c228
05e89bea0f1be5a34d1d959df098fd2c229
05e89bea0f1be5a34d1d959df098fd2c23
05e89bea0f1be5a34d1d959df098fd2c230
05e89bea0f1be5a34d1d959df098fd2c231
05e89bea0f1be5a34d1d959df098fd2c232
05e89bea0f1be5a34d1d959df098fd2c233
05e89bea0f1be5a34d1d959df098fd2c234
05e89bea0f1be5a34d1d959df098fd2c235
05e89bea0f1be5a34d1d959df098fd2c236
05e89bea0f1be5a34d1d959df098fd2c237
05e89bea0f1be5a34d1d959df098fd2c238
05e89bea0f1be5a34d1d959df098fd2c239
05e89bea0f1be5a34d1d959df098fd2c24
05e89bea0f1be5a34d1d959df098fd2c240
05e89bea0f1be5a34d1d959df098fd2c241
05e89bea0f1be5a34d1d959df098fd2c242
05e89bea0f1be5a34d1d959df098fd2c243
05e89bea0f1be5a34d1d959df098fd2c244
05e89bea0f1be5a34d1d959df098fd2c245
05e89bea0f1be5a34d1d959df098fd2c246
05e89bea0f1be5a34d1d959df098fd2c247
05e89bea0f1be5a34d1d959df098fd2c25
05e89bea0f1be5a34d1d959df098fd2c26
05e89bea0f1be5a34d1d959df098fd2c27
05e89bea0f1be5a34d1d959df098fd2c28
05e89bea0f1be5a34d1d959df098fd2c29
05e89bea0f1be5a34d1d959df098fd2c3
05e89bea0f1be5a34d1d959df098fd2c30
05e89bea0f1be5a34d1d959df098fd2c31
05e89bea0f1be5a34d1d959df098fd2c32
05e89bea0f1be5a34d1d959df098fd2c33
05e89bea0f1be5a34d1d959df098fd2c34
05e89bea0f1be5a34d1d959df098fd2c35
05e89bea0f1be5a34d1d959df098fd2c36
05e89bea0f1be5a34d1d959df098fd2c37
05e89bea0f1be5a34d1d959df098fd2c38
05e89bea0f1be5a34d1d959df098fd2c39
05e89bea0f1be5a34d1d959df098fd2c4
05e89bea0f1be5a34d1d959df098fd2c40
05e89bea0f1be5a34d1d959df098fd2c41
05e89bea0f1be5a34d1d959df098fd2c42
05e89bea0f1be5a34d1d959df098fd2c43
05e89bea0f1be5a34d1d959df098fd2c44
05e89bea0f1be5a34d1d959df098fd2c45
05e89bea0f1be5a34d1d959df098fd2c46
05e89bea0f1be5a34d1d959df098fd2c47
05e89bea0f1be5a34d1d959df098fd2c48
05e89bea0f1be5a34d1d959df098fd2c49
05e89bea0f1be5a34d1d959df098fd2c5
05e89bea0f1be5a34d1d959df098fd2c50
05e89bea0f1be5a34d1d959df098fd2c51
05e89bea0f1be5a34d1d959df098fd2c52
05e89bea0f1be5a34d1d959df098fd2c53
05e89bea0f1be5a34d1d959df098fd2c54
05e89bea0f1be5a34d1d959df098fd2c55
05e89bea0f1be5a34d1d959df098fd2c56
05e89bea0f1be5a34d1d959df098fd2c57
05e89bea0f1be5a34d1d959df098fd2c58
05e89bea0f1be5a34d1d959df098fd2c59
05e89bea0f1be5a34d1d959df098fd2c6
05e89bea0f1be5a34d1d959df098fd2c60
05e89bea0f1be5a34d1d959df098fd2c61
05e89bea0f1be5a34d1d959df098fd2c62
05e89bea0f1be5a34d1d959df098fd2c63
05e89bea0f1be5a34d1d959df098fd2c64
05e89bea0f1be5a34d1d959df098fd2c65
05e89bea0f1be5a34d1d959df098fd2c66
05e89bea0f1be5a34d1d959df098fd2c67
05e89bea0f1be5a34d1d959df098fd2c68
05e89bea0f1be5a34d1d959df098fd2c69
05e89bea0f1be5a34d1d959df098fd2c7
05e89bea0f1be5a34d1d959df098fd2c70
05e89bea0f1be5a34d1d959df098fd2c71
05e89bea0f1be5a34d1d959df098fd2c72
05e89bea0f1be5a34d1d959df098fd2c73
05e89bea0f1be5a34d1d959df098fd2c74
05e89bea0f1be5a34d1d959df098fd2c75
05e89bea0f1be5a34d1d959df098fd2c76
05e89bea0f1be5a34d1d959df098fd2c77
05e89bea0f1be5a34d1d959df098fd2c78
05e89bea0f1be5a34d1d959df098fd2c79
05e89bea0f1be5a34d1d959df098fd2c8
05e89bea0f1be5a34d1d959df098fd2c80
05e89bea0f1be5a34d1d959df098fd2c81
05e89bea0f1be5a34d1d959df098fd2c82
05e89bea0f1be5a34d1d959df098fd2c83
05e89bea0f1be5a34d1d959df098fd2c84
05e89bea0f1be5a34d1d959df098fd2c85
05e89bea0f1be5a34d1d959df098fd2c86
05e89bea0f1be5a34d1d959df098fd2c87
05e89bea0f1be5a34d1d959df098fd2c88
05e89bea0f1be5a34d1d959df098fd2c89
05e89bea0f1be5a34d1d959df098fd2c9
05e89bea0f1be5a34d1d959df098fd2c90
05e89bea0f1be5a34d1d959df098fd2c91
05e89bea0f1be5a34d1d959df098fd2c92
05e89bea0f1be5a34d1d959df098fd2c93
05e89bea0f1be5a34d1d959df098fd2c94
05e89bea0f1be5a34d1d959df098fd2c95
05e89bea0f1be5a34d1d959df098fd2c96
05e89bea0f1be5a34d1d959df098fd2c97
05e89bea0f1be5a34d1d959df098fd2c98
05e89bea0f1be5a34d1d959df098fd2c99
95edb0ce5ccc9b545517f147f7b9e421
muvmpds
rrylah
CADAEA
,&-&.&0/1/2/3/4/657585:9;:<:>=?>@>BA
"!'&(&)(*&+&
tabase format
ComputeHash
Length
ision 2, native byte-order)
Unknow daerkelet DB
00000002
1.85 (Hash, ver10
00061561
QRSTUVWXYZabcdefghijklmnopqrstuvwxyz
+-0123456789ABCDEFGHIJKLMNOP
logins
LxuCr.exe
LegalCopyright
OrrnalName
wQKJDYxbcZSeNquLdLNqZCDyzZSn
FileVersion
0.0.0.0
InteleInfo
000004b0
FileDescriptioeInfo
Translation
StringFi
VarFil
VS_VERSION_INFO
0.0.0.0
Assembly Version
0.0.0.0qZCDyzZSLxuCr.exe
ProductVersion
ginalFilename
wQKJDYxbcZSeNquLdLN
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
3Gt)Kr^4#5qXJ$2c
CompanyName
b)8S9pP_E#d32cZ/
FileDescription
m*7J%Ts5Z3)g9bY/
FileVersion
9.14.19.24
InternalName
vick file.exe
LegalCopyright
Copyright
2015 - 2019
OriginalFilename
vick file.exe
ProductName
m*7J%Ts5Z3)g9bY/
ProductVersion
9.14.19.24
Assembly Version
0.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean FireEye Generic.mg.aaf1535db849426f
CAT-QuickHeal Clean Qihoo-360 HEUR/QVM03.0.1315.Malware.Gen ALYac Clean
Cylance Unsafe Zillya Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason Clean Arcabit Clean
Invincea Clean Baidu Clean F-Prot W32/MSIL_Kryptik.AWA.gen!Eldorado
Symantec Clean TotalDefense Clean APEX Malicious
Paloalto Clean ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Clean NANO-Antivirus Clean AegisLab Clean
Avast Clean Rising Spyware.AgentTesla!1.B864 (CLASSIC) Ad-Aware Clean
TACHYON Clean Sophos Clean Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
TrendMicro Clean McAfee-GW-Edition Clean Trapmine Clean
CMC Clean Emsisoft Clean SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Kryptik.AWA.gen!Eldorado Jiangmin Clean Webroot Clean
Avira Clean Fortinet Clean Antiy-AVL Clean
Kingsoft Clean Endgame Clean Microsoft Trojan:Win32/Wacatac.C!ml
ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean
Cynet Clean AhnLab-V3 Clean Acronis Clean
McAfee Fareit-FVG!AAF1535DB849 MAX Clean VBA32 Clean
Malwarebytes Clean Zoner Clean ESET-NOD32 Clean
TrendMicro-HouseCall Clean Tencent Win32.Trojan.Inject.Auto Yandex Clean
Ikarus Clean eGambit Clean GData Clean
BitDefenderTheta Gen:[email protected] AVG Clean Panda Clean
CrowdStrike win/malicious_confidence_60% (D) MaxSecure Trojan.Malware.300983.susgen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 64006 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name services.exe
PID 464
Dump Size 258048 bytes
Module Path C:\Windows\System32\services.exe
Type PE image: 32-bit executable
PE timestamp 2015-04-13 01:58:57
MD5 dba79251a9965a747018370684daabfc
SHA1 a37ece7413887d33bb8cf80ff7dc6588712e497d
SHA256 2e528e6c91f66b677eeb6b5825c28880086bf6e2eeebee7407e9b9d39e681142
CRC32 698F318B
Ssdeep 6144:pRm4fgIzD+kSkLWD2ZbePM6eZVF/3BmT:O4AKLWYiPTeZVF3
Dump Filename 2e528e6c91f66b677eeb6b5825c28880086bf6e2eeebee7407e9b9d39e681142
Download Download Zip
Defense Evasion Credential Access Collection Execution Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1129 - Execution through Module Load
    • Signature - dropper
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 5.058999999999999 seconds )

    • 2.867 BehaviorAnalysis
    • 1.101 Static
    • 0.298 static_dotnet
    • 0.284 CAPE
    • 0.205 VirusTotal
    • 0.061 TargetInfo
    • 0.044 Deduplicate
    • 0.043 AnalysisInfo
    • 0.04 ProcDump
    • 0.029 Dropped
    • 0.028 Strings
    • 0.027 Debug
    • 0.022 NetworkAnalysis
    • 0.008 peid
    • 0.002 Suricata

    Signatures ( 2.508999999999995 seconds )

    • 0.414 antiav_detectreg
    • 0.157 territorial_disputes_sigs
    • 0.146 infostealer_ftp
    • 0.105 antianalysis_detectreg
    • 0.089 masquerade_process_name
    • 0.081 stealth_timeout
    • 0.076 decoy_document
    • 0.072 api_spamming
    • 0.072 infostealer_im
    • 0.069 NewtWire Behavior
    • 0.039 antianalysis_detectfile
    • 0.039 antivm_vbox_keys
    • 0.039 infostealer_bitcoin
    • 0.036 antiav_detectfile
    • 0.035 antivm_generic_disk
    • 0.033 mimics_filetime
    • 0.032 injection_createremotethread
    • 0.031 Doppelganging
    • 0.03 reads_self
    • 0.029 antivm_vmware_keys
    • 0.028 InjectionCreateRemoteThread
    • 0.028 infostealer_browser
    • 0.028 virus
    • 0.028 ransomware_files
    • 0.027 stealth_file
    • 0.026 infostealer_mail
    • 0.023 antidebug_guardpages
    • 0.022 bootkit
    • 0.022 antivm_parallels_keys
    • 0.021 exploit_heapspray
    • 0.018 hancitor_behavior
    • 0.018 antivm_xen_keys
    • 0.018 geodo_banking_trojan
    • 0.017 antivm_generic_scsi
    • 0.017 ransomware_extensions
    • 0.016 antivm_generic_diskreg
    • 0.015 dynamic_function_loading
    • 0.014 InjectionInterProcess
    • 0.014 antivm_vbox_files
    • 0.013 Unpacker
    • 0.013 antiemu_wine_func
    • 0.013 infostealer_browser_password
    • 0.013 malicious_dynamic_function_loading
    • 0.013 bypass_firewall
    • 0.012 antivm_hyperv_keys
    • 0.012 antivm_vpc_keys
    • 0.012 predatorthethief_files
    • 0.012 qulab_files
    • 0.011 injection_runpe
    • 0.01 exec_crash
    • 0.01 kovter_behavior
    • 0.01 stack_pivot
    • 0.009 InjectionProcessHollowing
    • 0.009 antivm_generic_services
    • 0.009 shifu_behavior
    • 0.009 recon_fingerprint
    • 0.008 network_tor
    • 0.008 persistence_autorun
    • 0.008 OrcusRAT Behavior
    • 0.008 antivm_xen_keys
    • 0.008 darkcomet_regkeys
    • 0.007 PlugX
    • 0.007 antivm_vbox_libs
    • 0.007 betabot_behavior
    • 0.007 kibex_behavior
    • 0.007 blackrat_registry_keys
    • 0.007 recon_programs
    • 0.006 antiav_avast_libs
    • 0.006 dyre_behavior
    • 0.006 exploit_getbasekerneladdress
    • 0.006 limerat_regkeys
    • 0.006 warzonerat_regkeys
    • 0.006 remcos_regkeys
    • 0.005 antidbg_windows
    • 0.005 antisandbox_sleep
    • 0.005 exploit_gethaldispatchtable
    • 0.005 hawkeye_behavior
    • 0.005 vawtrak_behavior
    • 0.005 antidbg_devices
    • 0.005 antivm_vmware_files
    • 0.005 codelux_behavior
    • 0.005 medusalocker_regkeys
    • 0.004 antisandbox_sunbelt_libs
    • 0.004 antivm_generic_system
    • 0.004 ketrican_regkeys
    • 0.004 browser_security
    • 0.003 antiav_bitdefender_libs
    • 0.003 antiav_bullgaurd_libs
    • 0.003 antiav_emsisoft_libs
    • 0.003 antiav_qurb_libs
    • 0.003 antiav_apioverride_libs
    • 0.003 antiav_nthookengine_libs
    • 0.003 antisandbox_sboxie_libs
    • 0.003 uac_bypass_eventvwr
    • 0.003 encrypted_ioc
    • 0.003 Vidar Behavior
    • 0.003 ipc_namedpipe
    • 0.003 tinba_behavior
    • 0.003 antivm_generic_bios
    • 0.003 disables_browser_warn
    • 0.003 packer_armadillo_regkey
    • 0.003 sniffer_winpcap
    • 0.002 InjectionSetWindowLong
    • 0.002 antivm_vmware_libs
    • 0.002 lsass_credential_dumping
    • 0.002 injection_explorer
    • 0.002 kazybot_behavior
    • 0.002 office_flash_load
    • 0.002 rat_nanocore
    • 0.002 neshta_files
    • 0.002 antivm_vbox_devices
    • 0.002 modify_proxy
    • 0.002 network_tor_service
    • 0.002 nemty_regkeys
    • 0.002 revil_mutexes
    • 0.002 rat_pcclient
    • 0.002 warzonerat_files
    • 0.002 remcos_files
    • 0.001 TransactedHollowing
    • 0.001 regsvr32_squiblydoo_dll_load
    • 0.001 cerber_behavior
    • 0.001 dridex_behavior
    • 0.001 h1n1_behavior
    • 0.001 Raccoon Behavior
    • 0.001 persistence_autorun_tasks
    • 0.001 dcrat_behavior
    • 0.001 rat_luminosity
    • 0.001 sets_autoconfig_url
    • 0.001 stack_pivot_file_created
    • 0.001 persists_dev_util
    • 0.001 spawns_dev_util
    • 0.001 antisandbox_fortinet_files
    • 0.001 antisandbox_threattrack_files
    • 0.001 antivm_vpc_files
    • 0.001 banker_cridex
    • 0.001 banker_zeus_mutex
    • 0.001 bitcoin_opencl
    • 0.001 bot_drive
    • 0.001 bot_drive2
    • 0.001 browser_addon
    • 0.001 clears_logs
    • 0.001 disables_smartscreen
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 removes_windows_defender_contextmenu
    • 0.001 arkei_files
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 persistence_shim_database
    • 0.001 dcrat_files
    • 0.001 obliquerat_files
    • 0.001 rat_spynet
    • 0.001 spreading_autoruninf
    • 0.001 targeted_flame

    Reporting ( 21.054000000000002 seconds )

    • 20.974 BinGraph
    • 0.079 MITRE_TTPS
    • 0.001 PCAP2CERT