CAPE

Triggered CAPE Tasks: Task #12804: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 14:22:25 2020-02-14 14:23:51 86 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-14 15:22:38,015 [root] INFO: Date set to: 02-14-20, time set to: 14:22:38, timeout set to: 200
2020-02-14 15:22:38,092 [root] DEBUG: Starting analyzer from: C:\lgvcq
2020-02-14 15:22:38,092 [root] DEBUG: Storing results at: C:\xZLSixNn
2020-02-14 15:22:38,092 [root] DEBUG: Pipe server name: \\.\PIPE\peeybUlSe
2020-02-14 15:22:38,092 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 15:22:38,092 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 15:22:39,265 [root] DEBUG: Started auxiliary module Browser
2020-02-14 15:22:39,265 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 15:22:39,280 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 15:22:41,796 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 15:22:41,796 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 15:22:41,812 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 15:22:41,812 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 15:22:41,812 [root] DEBUG: Started auxiliary module Human
2020-02-14 15:22:41,812 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 15:22:41,828 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 15:22:41,828 [root] DEBUG: Started auxiliary module Usage
2020-02-14 15:22:41,828 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 15:22:41,828 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 15:22:42,796 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\tradition.exe" with arguments "" with pid 3248
2020-02-14 15:22:43,796 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 15:22:43,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\lgvcq\dll\DiPwvbyE.dll, loader C:\lgvcq\bin\axYegsY.exe
2020-02-14 15:22:44,858 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\peeybUlSe.
2020-02-14 15:22:44,937 [root] DEBUG: Loader: Injecting process 3248 (thread 3360) with C:\lgvcq\dll\DiPwvbyE.dll.
2020-02-14 15:22:45,140 [root] DEBUG: Process image base: 0x00EC0000
2020-02-14 15:22:45,155 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\lgvcq\dll\DiPwvbyE.dll.
2020-02-14 15:22:45,155 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 15:22:45,155 [root] DEBUG: Successfully injected DLL C:\lgvcq\dll\DiPwvbyE.dll.
2020-02-14 15:22:45,155 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3248
2020-02-14 15:22:47,155 [lib.api.process] INFO: Successfully resumed process with pid 3248
2020-02-14 15:22:47,155 [root] INFO: Added new process to list with pid: 3248
2020-02-14 15:22:48,140 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 15:22:48,155 [root] DEBUG: Process dumps enabled.
2020-02-14 15:22:48,796 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 15:22:48,796 [root] INFO: Disabling sleep skipping.
2020-02-14 15:22:48,796 [root] INFO: Disabling sleep skipping.
2020-02-14 15:22:48,796 [root] INFO: Disabling sleep skipping.
2020-02-14 15:22:48,796 [root] INFO: Disabling sleep skipping.
2020-02-14 15:22:48,796 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3248 at 0x6c3b0000, image base 0xec0000, stack from 0x2f6000-0x300000
2020-02-14 15:22:48,796 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\tradition.exe".
2020-02-14 15:22:48,812 [root] INFO: Monitor successfully loaded in process with pid 3248.
2020-02-14 15:23:16,187 [root] DEBUG: set_caller_info: Adding region at 0x001F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-02-14 15:23:16,187 [root] DEBUG: DLL loaded at 0x76200000: C:\Windows\system32\SHELL32 (0xc4c000 bytes).
2020-02-14 15:23:16,187 [root] DEBUG: DLL loaded at 0x72A90000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-02-14 15:23:16,187 [root] DEBUG: DLL loaded at 0x72430000: C:\Windows\system32\webio (0x50000 bytes).
2020-02-14 15:23:16,187 [root] DEBUG: DLL loaded at 0x75340000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-14 15:23:16,187 [root] DEBUG: DLL loaded at 0x76FB0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-14 15:23:16,187 [root] DEBUG: DLL unloaded from 0x75130000.
2020-02-14 15:23:16,203 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-02-14 15:23:16,203 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\system32\credssp (0x8000 bytes).
2020-02-14 15:23:16,203 [root] DEBUG: DLL unloaded from 0x74590000.
2020-02-14 15:23:16,203 [root] DEBUG: DLL loaded at 0x74550000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-02-14 15:23:16,203 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-02-14 15:23:16,203 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-02-14 15:23:16,203 [root] DEBUG: DLL loaded at 0x74410000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-02-14 15:23:16,217 [root] DEBUG: DLL loaded at 0x73060000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-02-14 15:23:16,217 [root] DEBUG: DLL loaded at 0x73020000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-02-14 15:23:16,217 [root] DEBUG: DLL loaded at 0x71420000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-02-14 15:23:16,250 [root] DEBUG: DLL loaded at 0x72FC0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-02-14 15:23:16,296 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\system32\schannel (0x41000 bytes).
2020-02-14 15:23:16,312 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\CRYPT32 (0x122000 bytes).
2020-02-14 15:23:16,312 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-02-14 15:23:16,453 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\secur32 (0x8000 bytes).
2020-02-14 15:23:16,453 [root] DEBUG: DLL loaded at 0x74700000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-02-14 15:23:16,453 [root] DEBUG: DLL loaded at 0x746E0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-02-14 15:23:16,453 [root] DEBUG: DLL loaded at 0x74660000: C:\Windows\system32\bcryptprimitives (0x3d000 bytes).
2020-02-14 15:23:16,562 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-02-14 15:23:16,578 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 15:23:16,578 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 15:23:16,592 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 15:23:16,717 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3248
2020-02-14 15:23:16,717 [root] DEBUG: GetHookCallerBase: thread 3360 (handle 0x0), return address 0x00EC164A, allocation base 0x00EC0000.
2020-02-14 15:23:16,717 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00EC0000.
2020-02-14 15:23:16,733 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 15:23:16,733 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00EC0000.
2020-02-14 15:23:16,733 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000163D.
2020-02-14 15:23:16,733 [root] INFO: Added new CAPE file to list with path: C:\xZLSixNn\CAPE\3248_5178544242132314522020
2020-02-14 15:23:16,733 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1800.
2020-02-14 15:23:16,733 [root] DEBUG: DLL unloaded from 0x74660000.
2020-02-14 15:23:16,733 [root] DEBUG: DLL unloaded from 0x74850000.
2020-02-14 15:23:16,733 [root] DEBUG: DLL unloaded from 0x74390000.
2020-02-14 15:23:16,733 [root] DEBUG: DLL unloaded from 0x74260000.
2020-02-14 15:23:16,765 [root] DEBUG: DLL unloaded from 0x75270000.
2020-02-14 15:23:16,765 [root] INFO: Notified of termination of process with pid 3248.
2020-02-14 15:23:22,546 [root] INFO: Process list is empty, terminating analysis.
2020-02-14 15:23:23,592 [root] INFO: Created shutdown mutex.
2020-02-14 15:23:24,625 [root] INFO: Shutting down package.
2020-02-14 15:23:24,625 [root] INFO: Stopping auxiliary modules.
2020-02-14 15:23:25,046 [root] INFO: Finishing auxiliary modules.
2020-02-14 15:23:25,046 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 15:23:25,046 [root] WARNING: File at path "C:\xZLSixNn\debugger" does not exist, skip.
2020-02-14 15:23:25,046 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-14 14:22:26 2020-02-14 14:23:49

File Details

File Name tradition.exe
File Size 133120 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b8fb44a0af2790cf9f840d07293bbbf7
SHA1 f8462cf74511361d6b0fe47a3684544e946ee5ea
SHA256 bab32f942f49f174fedb3bfbb439bb2ec8abc558d303e7e12b4dd49622813551
SHA512 cc424dbc4efe976b74ed6437ec5dad050054b8688c937e075dfb70e6285c24e1658a4504303c01ed0b93459cfb28708ccc2563a94b607d73dc82a64290ce3172
CRC32 3495F59B
Ssdeep 3072:kmaEKiVT8wT+2ww+ajiKtTZlllll9CogqHmz0:kmaEltmwJ5mogamz0
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Attempts to connect to a dead IP:Port (1 unique times)
IP: 192.0.2.123:443
The PE file contains a PDB path
pdbpath: c:\WestMake\Chairvisit\industryquick\flatlight\sleepInstrument\hitwrote\ThemStart\lawpickthan.pdb
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: tradition.exe, PID 3248
Dynamic (imported) function loading detected
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegisterTraceGuidsW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenThreadToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/OpenProcessToken
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/AllocateAndInitializeSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CheckTokenMembership
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/FreeSid
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: SHELL32.dll/SHGetFolderPathA
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptGetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: WS2_32.dll/
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: WS2_32.dll/
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
File has been identified by 20 Antiviruses on VirusTotal as malicious
McAfee: Artemis!B8FB44A0AF27
Cylance: Unsafe
Sangfor: Malware
BitDefenderTheta: Gen:[email protected]
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Paloalto: generic.ml
Kaspersky: UDS:DangerousObject.Multi.Generic
Avast: FileRepMalware
Rising: Malware.Heuristic!ET#95% (RDMK:cmRtazoGTEV88mrvYH1DY+bKx5up)
McAfee-GW-Edition: BehavesLike.Win32.BadFile.ch
FireEye: Generic.mg.b8fb44a0af2790cf
SentinelOne: DFI - Malicious PE
Microsoft: Trojan:Win32/Wacatac.C!ml
Endgame: malicious (high confidence)
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Acronis: suspicious
Webroot: W32.Obfuscated.Gen
AVG: FileRepMalware
CrowdStrike: win/malicious_confidence_80% (W)
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
laroshelle.best [VT] A 192.0.2.123 [VT] 157.230.118.244 [VT]

Summary

C:\Users\Rebecca\AppData\Local\Rebecca
C:\Users\Rebecca\AppData\Local\Rebecca\photo.png
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\QAGENTRT.DLL
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\fveui.dll
C:\Windows\System32\wuaueng.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Users\Rebecca\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\Rebecca\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\Rebecca\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Users\Rebecca\AppData\Local\Rebecca\photo.png
C:\Windows\System32\en-US\CRYPT32.dll.mui
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\ChainUrlRetrievalTimeoutMilliseconds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\Options
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\CrossCertDownloadIntervalHours
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\CRLValidityExtensionPeriod
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\363E4734F757BDEB89868EFE94907774A327695E
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\363E4734F757BDEB89868EFE94907774A327695E\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\ChainUrlRetrievalTimeoutMilliseconds
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\Options
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\CrossCertDownloadIntervalHours
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config\CRLValidityExtensionPeriod
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\363E4734F757BDEB89868EFE94907774A327695E\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\36\52C64B7E\LanguageList
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegisterTraceGuidsW
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenThreadToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.OpenProcessToken
api-ms-win-downlevel-advapi32-l1-1-0.dll.AllocateAndInitializeSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.CheckTokenMembership
api-ms-win-downlevel-advapi32-l1-1-0.dll.FreeSid
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.GetUserNameA
kernel32.dll.ReadFile
kernel32.dll.HeapFree
kernel32.dll.WriteFile
kernel32.dll.CreateFileA
kernel32.dll.CloseHandle
kernel32.dll.HeapAlloc
kernel32.dll.GetFileSize
kernel32.dll.GetProcessHeap
kernel32.dll.GetModuleFileNameA
kernel32.dll.VirtualProtect
kernel32.dll.VirtualAlloc
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.Sleep
kernel32.dll.lstrcpyA
kernel32.dll.ExitProcess
kernel32.dll.CreateDirectoryA
kernel32.dll.HeapReAlloc
shell32.dll.SHGetFolderPathA
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpen
user32.dll.wsprintfW
user32.dll.wsprintfA
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
ws2_32.dll.WSASend
ws2_32.dll.WSARecv
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptGetKeyParam
cryptsp.dll.CryptDestroyKey
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
ws2_32.dll.#22
crypt32.dll.CertFreeCertificateContext
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
ws2_32.dll.#3
rpcrt4.dll.RpcBindingFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x00403b63
Reported Checksum 0x00025596
Actual Checksum 0x0002f534
Minimum OS Version 6.0
PDB Path c:\WestMake\Chairvisit\industryquick\flatlight\sleepInstrument\hitwrote\ThemStart\lawpickthan.pdb
Compile Time 2014-02-13 11:11:27
Import Hash b7c53c7bbb83f44d1a038beb1937bd87
Icon
Icon Exact Hash aeed383777253deebe163f9c78a85e72
Icon Similarity Hash 8e4760d163627f7f43e608d4655dcfba

Version Infos

LegalCopyright Copyright \xa9 2007-2015 Waitvalley Timerail
InternalName fla.exe
FileVersion 9.5.18.76
CompanyName www.circletaboy.com
LegalTrademarks Minute Fullwar
Comments Viewprove cha arrangemost machine
ProductName Minute Fullwar
ProductVersion 9.5.18.76
FileDescription Minute Fullwar
OriginalFilename fla.exe
Translation 0x0000 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0001062b 0x00010800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.73
.rdata 0x00012000 0x00007f4a 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.33
.data 0x0001a000 0x0001ade0 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.17
.rsrc 0x00035000 0x00004b38 0x00004c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.03
.reloc 0x0003a000 0x0000178c 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.60

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00039198 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.53 GLS_BINARY_LSB_FIRST
RT_ICON 0x00039198 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.53 GLS_BINARY_LSB_FIRST
RT_ICON 0x00039198 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.53 GLS_BINARY_LSB_FIRST
RT_ICON 0x00039198 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.53 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x00039600 0x0000003e LANG_NEUTRAL SUBLANG_NEUTRAL 2.62 data
RT_VERSION 0x00039640 0x0000039c LANG_NEUTRAL SUBLANG_NEUTRAL 3.44 data
RT_MANIFEST 0x000399dc 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 4.80 ASCII text, with CRLF line terminators

Imports

Library KERNEL32.dll:
0x412000 MoveFileExA
0x412004 Sleep
0x412008 GetSystemDirectoryA
0x41200c VirtualProtect
0x412014 GetFileTime
0x412018 GetCurrentProcessId
0x41201c GetTempPathA
0x412020 CloseHandle
0x412024 WriteConsoleW
0x412028 SetFilePointerEx
0x41202c SetStdHandle
0x412030 GetConsoleMode
0x412034 GetConsoleCP
0x412038 FlushFileBuffers
0x41203c GetStringTypeW
0x412040 LCMapStringW
0x412044 HeapReAlloc
0x412048 HeapAlloc
0x41204c EncodePointer
0x412050 DecodePointer
0x412054 GetCommandLineA
0x412058 RaiseException
0x41205c RtlUnwind
0x412060 IsDebuggerPresent
0x412068 GetLastError
0x41206c ExitProcess
0x412070 GetModuleHandleExW
0x412074 GetProcAddress
0x412078 MultiByteToWideChar
0x41207c WideCharToMultiByte
0x412080 GetStdHandle
0x412084 WriteFile
0x412088 GetModuleFileNameW
0x41208c GetProcessHeap
0x412090 SetLastError
0x412094 GetCurrentThreadId
0x412098 HeapSize
0x41209c HeapFree
0x4120a0 GetFileType
0x4120a8 GetStartupInfoW
0x4120ac GetModuleFileNameA
0x4120cc GetCurrentProcess
0x4120d0 TerminateProcess
0x4120d4 TlsAlloc
0x4120d8 TlsGetValue
0x4120dc TlsSetValue
0x4120e0 TlsFree
0x4120e4 GetModuleHandleW
0x4120f0 LoadLibraryExW
0x4120f4 IsValidCodePage
0x4120f8 GetACP
0x4120fc GetOEMCP
0x412100 GetCPInfo
0x412104 OutputDebugStringW
0x412108 CreateFileW
Library WININET.dll:
0x412124 InternetCloseHandle
0x412128 InternetOpenA
0x412130 InternetReadFile
0x412134 InternetCrackUrlA
0x412140 InternetOpenUrlA
0x412144 HttpQueryInfoA
0x41214c InternetWriteFile
Library USERENV.dll:

.text
`.rdata
@.data
.rsrc
@.reloc
Pht0A
SVWUj
;5$MC
;5$MC
u0hXxA
u!h`xA
@hxxA
permission denied
file exists
no such device
filename too long
device or resource busy
io error
directory not empty
invalid argument
no space on device
no such file or directory
function not supported
no lock available
not enough memory
resource unavailable try again
cross device link
operation canceled
too many files open
permission_denied
address_in_use
address_not_available
address_family_not_supported
connection_already_in_progress
bad_file_descriptor
connection_aborted
connection_refused
connection_reset
destination_address_required
bad_address
host_unreachable
operation_in_progress
interrupted
invalid_argument
already_connected
too_many_files_open
message_size
filename_too_long
network_down
network_reset
network_unreachable
no_buffer_space
no_protocol_option
not_connected
not_a_socket
operation_not_supported
protocol_not_supported
wrong_protocol_type
timed_out
operation_would_block
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
destination address required
executable format error
file too large
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
invalid seek
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no message available
no message
no protocol option
no stream resources
no such device or address
no such process
not a directory
not a socket
not a stream
not connected
not supported
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
protocol error
protocol not supported
read only file system
resource deadlock would occur
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many links
too many symbolic link levels
value too large
wrong protocol type
bad allocation
Visual C++ CRT: Not enough memory to complete call to strerror.
Unknown exception
CorExitProcess
No error
Operation not permitted
No such file or directory
No such process
Interrupted function call
Input/output error
No such device or address
Arg list too long
Exec format error
Bad file descriptor
No child processes
Resource temporarily unavailable
Not enough space
Permission denied
Bad address
Unknown error
Resource device
File exists
Improper link
No such device
Not a directory
Is a directory
Invalid argument
Too many open files in system
Too many open files
Inappropriate I/O control operation
File too large
No space left on device
Invalid seek
Read-only file system
Too many links
Broken pipe
Domain error
Result too large
Resource deadlock avoided
Filename too long
No locks available
Function not implemented
Directory not empty
Illegal byte sequence
log10
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
bad exception
e+000
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
1#SNAN
1#IND
1#INF
1#QNAN
UknQR
generic
unknown error
iostream
iostream stream error
system
string too long
invalid string position
c:\WestMake\Chairvisit\industryquick\flatlight\sleepInstrument\hitwrote\ThemStart\lawpickthan.pdb
MoveFileExA
Sleep
GetSystemDirectoryA
VirtualProtect
GetCurrentDirectoryA
GetFileTime
GetCurrentProcessId
GetTempPathA
KERNEL32.dll
InternetCanonicalizeUrlA
HttpQueryInfoA
InternetOpenUrlA
InternetGetLastResponseInfoA
InternetQueryDataAvailable
InternetCrackUrlA
InternetReadFile
InternetWriteFile
InternetSetFilePointer
InternetOpenA
InternetCloseHandle
WININET.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
LeaveCriticalPolicySection
ExpandEnvironmentStringsForUserA
USERENV.dll
HeapAlloc
EncodePointer
DecodePointer
GetCommandLineA
RaiseException
RtlUnwind
IsDebuggerPresent
IsProcessorFeaturePresent
GetLastError
ExitProcess
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
GetModuleFileNameW
GetProcessHeap
SetLastError
GetCurrentThreadId
HeapSize
HeapFree
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
EnterCriticalSection
LeaveCriticalSection
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
HeapReAlloc
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
6"6&6
Amscoree.dll
runtime error
Program:
<program name unknown>
Microsoft Visual C++ Runtime Library
kernel32.dll
Aja-JP
zh-CN
ko-KR
zh-TW
USER32.DLL
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
Viewprove cha arrangemost machine
CompanyName
www.circletaboy.com
FileDescription
Minute Fullwar
FileVersion
9.5.18.76
InternalName
fla.exe
LegalCopyright
2007-2015 Waitvalley Timerail
LegalTrademarks
Minute Fullwar
OriginalFilename
fla.exe
ProductName
Minute Fullwar
ProductVersion
9.5.18.76
VarFileInfo
Translation

Full Results

VirusTotal Signature
Bkav Clean
DrWeb Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Artemis!B8FB44A0AF27
Cylance Unsafe
Zillya Clean
Sangfor Malware
K7AntiVirus Clean
BitDefender Clean
K7GW Clean
Cybereason Clean
TrendMicro Clean
BitDefenderTheta Gen:[email protected]
Cyren Clean
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Clean
APEX Malicious
Paloalto generic.ml
ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
SUPERAntiSpyware Clean
Tencent Clean
Ad-Aware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
Baidu Clean
VIPRE Clean
Invincea Clean
McAfee-GW-Edition BehavesLike.Win32.BadFile.ch
Trapmine Clean
FireEye Generic.mg.b8fb44a0af2790cf
Sophos Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
MaxSecure Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Trojan:Win32/Wacatac.C!ml
Endgame malicious (high confidence)
Arcabit Clean
AegisLab Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean
GData Clean
TACHYON Clean
AhnLab-V3 Clean
Acronis suspicious
VBA32 Clean
ALYac Clean
MAX Clean
Panda Clean
Zoner Clean
TrendMicro-HouseCall Clean
Rising Malware.Heuristic!ET#95% (RDMK:cmRtazoGTEV88mrvYH1DY+bKx5up)
Yandex Clean
SentinelOne DFI - Malicious PE
eGambit Clean
Fortinet Clean
Webroot W32.Obfuscated.Gen
AVG FileRepMalware
Avast FileRepMalware
CrowdStrike win/malicious_confidence_80% (W)
Qihoo-360 Clean

Process Tree


tradition.exe, PID: 3248, Parent PID: 1736
Full Path: C:\Users\Rebecca\AppData\Local\Temp\tradition.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\tradition.exe"

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.3 50933 1.1.1.1 53
192.168.1.3 56366 1.1.1.1 53
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53

DNS

Name Response Post-Analysis Lookup
laroshelle.best [VT] A 192.0.2.123 [VT] 157.230.118.244 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-14 14:23:39.750 192.168.1.3 [VT] 49166 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLSv1

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.3 49166 192.0.2.123 laroshelle.best 443 26b795b92394b98210b2495089be3a26 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name tradition.exe
PID 3248
Dump Size 6144 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\tradition.exe
Type PE image: 32-bit executable
MD5 e7413c5f676bde1716ab67595185b1ad
SHA1 c3571743d7cd43f8d1e2f5c9bd79dc1abcd43763
SHA256 3fad650938ceba755f79def310c40fd5ccd98fb1c863243a3398703f75fc0e0c
CRC32 800C3A1D
Ssdeep 48:iVVOwnqlqVz0Q0qRwyh/SQZmKUAnwrbBhiCpETyNykPrZdeonKzdw2222zijja3P:MlqqVwHUhr8wWbB0CpTPL3KJvi0/D83
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 3fad650938ceba755f79def310c40fd5ccd98fb1c863243a3398703f75fc0e0c
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted

Processing ( 7.359 seconds )

  • 5.079 Suricata
  • 0.459 Static
  • 0.397 NetworkAnalysis
  • 0.329 CAPE
  • 0.313 peid
  • 0.273 BehaviorAnalysis
  • 0.246 VirusTotal
  • 0.163 TargetInfo
  • 0.051 Deduplicate
  • 0.038 ProcDump
  • 0.007 AnalysisInfo
  • 0.002 Debug
  • 0.002 Strings

Signatures ( 0.378 seconds )

  • 0.131 antiav_detectreg
  • 0.042 infostealer_ftp
  • 0.028 antianalysis_detectreg
  • 0.023 infostealer_im
  • 0.013 antivm_vbox_keys
  • 0.012 stealth_timeout
  • 0.011 api_spamming
  • 0.01 NewtWire Behavior
  • 0.01 decoy_document
  • 0.009 antivm_vmware_keys
  • 0.008 infostealer_mail
  • 0.006 antivm_generic_scsi
  • 0.006 antivm_parallels_keys
  • 0.006 antivm_xen_keys
  • 0.006 ransomware_files
  • 0.004 antivm_generic_services
  • 0.004 antiav_detectfile
  • 0.004 antivm_generic_diskreg
  • 0.004 antivm_vpc_keys
  • 0.003 geodo_banking_trojan
  • 0.002 recon_programs
  • 0.002 persistence_autorun
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 bypass_firewall
  • 0.002 infostealer_bitcoin
  • 0.002 ransomware_extensions
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 uac_bypass_eventvwr
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 EvilGrab
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 antivm_generic_disk
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_system
  • 0.001 antivm_vbox_files
  • 0.001 ketrican_regkeys
  • 0.001 browser_security
  • 0.001 darkcomet_regkeys
  • 0.001 masquerade_process_name
  • 0.001 network_torgateway
  • 0.001 limerat_regkeys
  • 0.001 recon_fingerprint

Reporting ( 2.591 seconds )

  • 1.05 BinGraph
  • 0.953 MaecReport
  • 0.434 JsonDump
  • 0.154 SubmitCAPE
Task ID 12803
Mongo ID 5e46ad87c3436de9e06673c5
Cuckoo release 1.3-CAPE
Delete