Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 15:01:47 2020-02-14 15:08:28 401 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-14 16:02:42,140 [root] INFO: Date set to: 02-14-20, time set to: 15:02:41, timeout set to: 200
2020-02-14 16:02:42,640 [root] DEBUG: Starting analyzer from: C:\jqrob
2020-02-14 16:02:42,640 [root] DEBUG: Storing results at: C:\cAmFxgrZc
2020-02-14 16:02:42,640 [root] DEBUG: Pipe server name: \\.\PIPE\AzomzmRG
2020-02-14 16:02:42,640 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 16:02:42,640 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 16:03:02,405 [root] DEBUG: Started auxiliary module Browser
2020-02-14 16:03:02,405 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 16:03:02,405 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 16:03:05,655 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 16:03:05,655 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 16:03:05,655 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 16:03:05,671 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 16:03:05,671 [root] DEBUG: Started auxiliary module Human
2020-02-14 16:03:05,671 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 16:03:05,703 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 16:03:05,703 [root] DEBUG: Started auxiliary module Usage
2020-02-14 16:03:05,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 16:03:05,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 16:03:05,890 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\pafish.exe" with arguments "" with pid 1144
2020-02-14 16:03:06,000 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:06,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:03:16,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:03:20,655 [root] DEBUG: Loader: Injecting process 1144 (thread 2432) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:23,671 [root] DEBUG: Process image base: 0x00400000
2020-02-14 16:03:25,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:27,578 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:03:28,078 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:28,078 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1144
2020-02-14 16:03:30,078 [lib.api.process] INFO: Successfully resumed process with pid 1144
2020-02-14 16:03:30,078 [root] INFO: Added new process to list with pid: 1144
2020-02-14 16:03:30,328 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:03:30,342 [root] DEBUG: Process dumps enabled.
2020-02-14 16:03:31,625 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:03:31,640 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:31,640 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:31,640 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:31,640 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:31,640 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1144 at 0x69f70000, image base 0x400000, stack from 0x226000-0x230000
2020-02-14 16:03:31,640 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\pafish.exe".
2020-02-14 16:03:31,640 [root] INFO: Monitor successfully loaded in process with pid 1144.
2020-02-14 16:03:43,015 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 16:03:45,655 [root] DEBUG: DLL loaded at 0x73B50000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-02-14 16:03:45,671 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-14 16:03:45,671 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\System32\drprov (0x8000 bytes).
2020-02-14 16:03:45,671 [root] DEBUG: DLL loaded at 0x759A0000: C:\Windows\System32\WINSTA (0x29000 bytes).
2020-02-14 16:03:45,671 [root] DEBUG: DLL loaded at 0x72A80000: C:\Windows\System32\ntlanman (0x14000 bytes).
2020-02-14 16:03:45,671 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\System32\davclnt (0x18000 bytes).
2020-02-14 16:03:45,687 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\System32\DAVHLPR (0x8000 bytes).
2020-02-14 16:03:55,140 [root] INFO: Stopped WMI Service
2020-02-14 16:03:55,155 [root] INFO: Attaching to DcomLaunch service (pid 556)
2020-02-14 16:03:55,280 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:55,280 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:03:55,280 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:03:55,280 [root] DEBUG: Loader: Injecting process 556 (thread 0) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:55,280 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-02-14 16:03:55,296 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:03:55,296 [root] DEBUG: Process dumps enabled.
2020-02-14 16:03:55,296 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:55,500 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 556 at 0x69f70000, image base 0xeb0000, stack from 0xdf6000-0xe00000
2020-02-14 16:03:55,500 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-02-14 16:03:55,500 [root] INFO: Added new process to list with pid: 556
2020-02-14 16:03:55,500 [root] INFO: Monitor successfully loaded in process with pid 556.
2020-02-14 16:03:55,546 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-02-14 16:03:55,546 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-02-14 16:03:55,578 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,592 [root] INFO: Announced 32-bit process name: dllhost.exe pid: 2944
2020-02-14 16:03:56,592 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:56,592 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:03:56,608 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:03:56,608 [root] DEBUG: Loader: Injecting process 2944 (thread 3152) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,608 [root] DEBUG: Process image base: 0x00300000
2020-02-14 16:03:56,608 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,608 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:03:56,608 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,608 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2944
2020-02-14 16:03:56,608 [root] INFO: Announced 32-bit process name: dllhost.exe pid: 2944
2020-02-14 16:03:56,608 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:56,608 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:03:56,608 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:03:56,625 [root] DEBUG: Loader: Injecting process 2944 (thread 3152) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,625 [root] DEBUG: Process image base: 0x00300000
2020-02-14 16:03:56,625 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,625 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-02-14 16:03:56,625 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2944
2020-02-14 16:03:56,625 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:03:56,671 [root] DEBUG: Process dumps enabled.
2020-02-14 16:03:56,671 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:56,671 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:03:56,671 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2944 at 0x69f70000, image base 0x300000, stack from 0x1e6000-0x1f0000
2020-02-14 16:03:56,671 [root] DEBUG: Commandline: C:\Windows\System32\DllHost.exe \Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}.
2020-02-14 16:03:56,671 [root] INFO: Added new process to list with pid: 2944
2020-02-14 16:03:56,671 [root] INFO: Monitor successfully loaded in process with pid 2944.
2020-02-14 16:03:56,671 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-14 16:03:56,687 [root] DEBUG: DLL loaded at 0x75D70000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:03:56,687 [root] DEBUG: DLL loaded at 0x76020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-14 16:03:56,687 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:03:56,687 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:03:56,703 [root] DEBUG: DLL loaded at 0x75990000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:03:56,796 [root] DEBUG: DLL loaded at 0x76C20000: C:\Windows\system32\wininet (0x437000 bytes).
2020-02-14 16:03:56,796 [root] INFO: Announced 32-bit process name: dllhost.exe pid: 3028
2020-02-14 16:03:56,796 [root] DEBUG: DLL loaded at 0x75A60000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,812 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:56,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x74EC0000: C:\Windows\system32\version (0x9000 bytes).
2020-02-14 16:03:56,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x75A50000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-02-14 16:03:56,812 [root] DEBUG: Loader: Injecting process 3028 (thread 3280) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x75D60000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-02-14 16:03:56,812 [root] DEBUG: Process image base: 0x00300000
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x76660000: C:\Windows\system32\iertutil (0x236000 bytes).
2020-02-14 16:03:56,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,812 [root] DEBUG: DLL loaded at 0x75C00000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-02-14 16:03:56,828 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:03:56,828 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-14 16:03:56,828 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3028
2020-02-14 16:03:56,828 [root] DEBUG: DLL loaded at 0x75A40000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-14 16:03:56,828 [root] INFO: Announced 32-bit process name: dllhost.exe pid: 3028
2020-02-14 16:03:56,828 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:56,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:03:56,828 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,842 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:03:56,842 [root] DEBUG: Loader: Injecting process 3028 (thread 3280) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,842 [root] DEBUG: Process image base: 0x00300000
2020-02-14 16:03:56,842 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,842 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-02-14 16:03:56,842 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:03:56,842 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3028
2020-02-14 16:03:56,842 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:03:56,842 [root] DEBUG: Process dumps enabled.
2020-02-14 16:03:56,858 [root] INFO: Disabling sleep skipping.
2020-02-14 16:03:56,890 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:03:56,890 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3028 at 0x69f70000, image base 0x300000, stack from 0x146000-0x150000
2020-02-14 16:03:56,890 [root] DEBUG: Commandline: C:\Windows\System32\DllHost.exe \Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}.
2020-02-14 16:03:56,890 [root] INFO: Added new process to list with pid: 3028
2020-02-14 16:03:56,890 [root] INFO: Monitor successfully loaded in process with pid 3028.
2020-02-14 16:03:56,890 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-14 16:03:56,890 [root] DEBUG: DLL loaded at 0x75D70000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:03:56,890 [root] DEBUG: DLL loaded at 0x76020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-14 16:03:56,905 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:03:56,905 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:03:56,905 [root] DEBUG: DLL loaded at 0x75990000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x76C20000: C:\Windows\System32\wininet (0x437000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75A60000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x74EC0000: C:\Windows\system32\version (0x9000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75A50000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75D60000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x76660000: C:\Windows\system32\iertutil (0x236000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75C00000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75A40000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-14 16:03:56,921 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-14 16:03:56,937 [root] DEBUG: DLL loaded at 0x756B0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-02-14 16:03:56,967 [root] DEBUG: DLL loaded at 0x77060000: C:\Windows\system32\SHELL32 (0xc4c000 bytes).
2020-02-14 16:03:56,967 [root] DEBUG: DLL loaded at 0x71D70000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-02-14 16:03:56,983 [root] DEBUG: DLL loaded at 0x76190000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-14 16:03:56,983 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-14 16:03:56,983 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-02-14 16:03:56,983 [root] DEBUG: DLL loaded at 0x73780000: C:\Windows\system32\webio (0x50000 bytes).
2020-02-14 16:03:56,983 [root] DEBUG: DLL unloaded from 0x73BA0000.
2020-02-14 16:03:56,983 [root] DEBUG: DLL loaded at 0x753B0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-02-14 16:03:57,000 [root] DEBUG: DLL loaded at 0x753A0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-02-14 16:03:57,000 [root] DEBUG: DLL loaded at 0x73EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-02-14 16:03:57,000 [root] DEBUG: DLL loaded at 0x73E70000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-02-14 16:03:57,000 [root] DEBUG: DLL loaded at 0x71D70000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-02-14 16:03:57,562 [root] DEBUG: DLL loaded at 0x77060000: C:\Windows\system32\SHELL32 (0xc4c000 bytes).
2020-02-14 16:03:57,562 [root] DEBUG: DLL loaded at 0x734C0000: C:\Program Files\Internet Explorer\sqmapi (0x39000 bytes).
2020-02-14 16:03:57,562 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-14 16:03:57,562 [root] DEBUG: DLL loaded at 0x71760000: C:\Windows\system32\ESENT (0x1a3000 bytes).
2020-02-14 16:03:57,578 [root] WARNING: Unable to access file at path "C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache.old": [Errno 13] Permission denied: u'C:\\Users\\Rebecca\\AppData\\Local\\Microsoft\\Windows\\WebCache.old'
2020-02-14 16:03:59,905 [root] INFO: Started WMI Service
2020-02-14 16:03:59,905 [root] INFO: Attaching to WMI service (pid 3492)
2020-02-14 16:03:59,905 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:03:59,905 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:04:00,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:04:00,000 [root] DEBUG: Loader: Injecting process 3492 (thread 0) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:00,000 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3712, handle 0x7c
2020-02-14 16:04:00,000 [root] DEBUG: Process image base: 0x00EB0000
2020-02-14 16:04:00,000 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-02-14 16:04:00,000 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-02-14 16:04:00,000 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:04:00,015 [root] DEBUG: Process dumps enabled.
2020-02-14 16:04:00,015 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:00,015 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3492 at 0x69f70000, image base 0xeb0000, stack from 0xaf6000-0xb00000
2020-02-14 16:04:00,015 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-02-14 16:04:00,015 [root] INFO: Added new process to list with pid: 3492
2020-02-14 16:04:00,015 [root] INFO: Monitor successfully loaded in process with pid 3492.
2020-02-14 16:04:00,015 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-02-14 16:04:00,015 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-02-14 16:04:00,015 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:00,562 [root] DEBUG: DLL unloaded from 0x77E50000.
2020-02-14 16:04:02,000 [root] DEBUG: DLL unloaded from 0x76AC0000.
2020-02-14 16:04:02,000 [root] DEBUG: DLL unloaded from 0x76C20000.
2020-02-14 16:04:02,000 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3028
2020-02-14 16:04:02,000 [root] DEBUG: GetHookCallerBase: thread 3280 (handle 0x0), return address 0x003012E9, allocation base 0x00300000.
2020-02-14 16:04:02,000 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00300000.
2020-02-14 16:04:02,000 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:04:02,000 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00300000.
2020-02-14 16:04:02,000 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001609.
2020-02-14 16:04:02,015 [root] DEBUG: DLL loaded at 0x75D70000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:04:02,030 [root] DEBUG: DLL loaded at 0x73330000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-02-14 16:04:02,030 [root] DEBUG: DLL loaded at 0x73580000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-02-14 16:04:02,030 [root] DEBUG: DLL loaded at 0x75540000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-02-14 16:04:02,030 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:04:02,046 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:04:02,046 [root] DEBUG: DLL loaded at 0x75990000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:04:02,046 [root] DEBUG: DLL loaded at 0x735F0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-02-14 16:04:02,046 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\system32\ATL (0x14000 bytes).
2020-02-14 16:04:02,046 [root] DEBUG: DLL loaded at 0x73E20000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-02-14 16:04:02,062 [root] DEBUG: DLL loaded at 0x73B40000: C:\Windows\system32\samcli (0xf000 bytes).
2020-02-14 16:04:02,062 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-02-14 16:04:02,062 [root] DEBUG: DLL loaded at 0x74190000: C:\Windows\system32\netutils (0x9000 bytes).
2020-02-14 16:04:02,062 [root] DEBUG: DLL loaded at 0x73F40000: C:\Windows\system32\es (0x47000 bytes).
2020-02-14 16:04:02,108 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-02-14 16:04:02,125 [root] DEBUG: DLL loaded at 0x72B50000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-02-14 16:04:02,125 [root] DEBUG: DLL loaded at 0x74EC0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-02-14 16:04:02,125 [root] DEBUG: DLL loaded at 0x72AA0000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2020-02-14 16:04:02,125 [root] DEBUG: DLL loaded at 0x73400000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2020-02-14 16:04:02,125 [root] DEBUG: DLL loaded at 0x730A0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-02-14 16:04:02,140 [root] DEBUG: DLL unloaded from 0x72B50000.
2020-02-14 16:04:02,203 [root] DEBUG: DLL loaded at 0x72C50000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:02,203 [root] DEBUG: DLL loaded at 0x72C50000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:02,203 [root] DEBUG: DLL loaded at 0x755A0000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-02-14 16:04:04,765 [root] INFO: Added new CAPE file to list with path: C:\cAmFxgrZc\CAPE\3028_11682613634471614522020
2020-02-14 16:04:04,780 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1e00.
2020-02-14 16:04:04,780 [root] DEBUG: DLL loaded at 0x72480000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-02-14 16:04:04,828 [root] INFO: Notified of termination of process with pid 3028.
2020-02-14 16:04:04,937 [root] DEBUG: DLL loaded at 0x6FBA0000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-02-14 16:04:04,937 [root] DEBUG: Terminate Event: Process 3028 has already been dumped(!)
2020-02-14 16:04:05,233 [root] DEBUG: Terminate Event: Skipping dump of process 3028
2020-02-14 16:04:05,233 [root] WARNING: File at path "C:\Windows\System32\wbem\repository\WRITABLE.TST" does not exist, skip.
2020-02-14 16:04:05,312 [root] DEBUG: DLL loaded at 0x755D0000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-02-14 16:04:05,905 [root] DEBUG: DLL unloaded from 0x755D0000.
2020-02-14 16:04:09,858 [root] DEBUG: DLL loaded at 0x6E0E0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-02-14 16:04:09,983 [root] DEBUG: DLL loaded at 0x6E8F0000: C:\Windows\system32\NCObjAPI (0xf000 bytes).
2020-02-14 16:04:10,125 [root] DEBUG: DLL loaded at 0x70090000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-02-14 16:04:12,092 [root] DEBUG: DLL loaded at 0x73400000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-02-14 16:04:12,562 [root] DEBUG: DLL loaded at 0x730A0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-02-14 16:04:15,483 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2356
2020-02-14 16:04:16,155 [root] DEBUG: DLL loaded at 0x73080000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-02-14 16:04:16,467 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:16,467 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:04:16,608 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:04:16,655 [root] DEBUG: Loader: Injecting process 2356 (thread 532) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:16,703 [root] DEBUG: Process image base: 0x011C0000
2020-02-14 16:04:16,750 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:16,796 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 16:04:16,842 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:16,842 [root] DEBUG: DLL unloaded from 0x76AC0000.
2020-02-14 16:04:16,842 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2356
2020-02-14 16:04:16,890 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2356
2020-02-14 16:04:16,890 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 16:04:16,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\jqrob\dll\kxViAgP.dll, loader C:\jqrob\bin\QXFaVpt.exe
2020-02-14 16:04:17,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AzomzmRG.
2020-02-14 16:04:17,092 [root] DEBUG: Loader: Injecting process 2356 (thread 532) with C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:17,342 [root] DEBUG: Process image base: 0x011C0000
2020-02-14 16:04:17,421 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:17,515 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-02-14 16:04:17,796 [root] DEBUG: Successfully injected DLL C:\jqrob\dll\kxViAgP.dll.
2020-02-14 16:04:17,858 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2356
2020-02-14 16:04:18,000 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 16:04:18,046 [root] DEBUG: Process dumps enabled.
2020-02-14 16:04:18,125 [root] INFO: Disabling sleep skipping.
2020-02-14 16:04:18,203 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 16:04:18,250 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2356 at 0x69f70000, image base 0x11c0000, stack from 0x170000-0x180000
2020-02-14 16:04:18,296 [root] DEBUG: Commandline: C:\Windows\System32\wbem\wmiprvse.exe -secured -Embedding.
2020-02-14 16:04:18,342 [root] INFO: Added new process to list with pid: 2356
2020-02-14 16:04:18,342 [root] INFO: Monitor successfully loaded in process with pid 2356.
2020-02-14 16:04:18,421 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-14 16:04:18,467 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-02-14 16:04:18,515 [root] DEBUG: DLL loaded at 0x760C0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-02-14 16:04:18,703 [root] DEBUG: DLL loaded at 0x75D70000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-02-14 16:04:18,812 [root] DEBUG: DLL loaded at 0x73330000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-02-14 16:04:18,858 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-02-14 16:04:18,905 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-02-14 16:04:19,092 [root] DEBUG: DLL loaded at 0x75990000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-02-14 16:04:19,733 [root] DEBUG: DLL unloaded from 0x72B50000.
2020-02-14 16:04:19,780 [root] DEBUG: DLL loaded at 0x72C50000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:21,030 [root] DEBUG: DLL loaded at 0x72480000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-02-14 16:04:22,342 [root] DEBUG: DLL loaded at 0x6D720000: C:\Windows\system32\wbem\cimwin32 (0x14a000 bytes).
2020-02-14 16:04:22,421 [root] DEBUG: DLL loaded at 0x6D900000: C:\Windows\system32\framedynos (0x35000 bytes).
2020-02-14 16:04:23,030 [root] DEBUG: DLL loaded at 0x75AC0000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-02-14 16:04:23,078 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-14 16:04:24,312 [root] DEBUG: DLL unloaded from 0x73400000.
2020-02-14 16:04:24,375 [root] DEBUG: DLL unloaded from 0x72C50000.
2020-02-14 16:04:24,421 [root] DEBUG: DLL unloaded from 0x73330000.
2020-02-14 16:04:24,608 [root] DEBUG: DLL loaded at 0x73330000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-02-14 16:04:24,655 [root] DEBUG: DLL loaded at 0x73580000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-02-14 16:04:24,703 [root] DEBUG: DLL loaded at 0x75540000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-02-14 16:04:24,828 [root] DEBUG: DLL loaded at 0x72C50000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-02-14 16:04:24,953 [root] DEBUG: DLL loaded at 0x73400000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-02-14 16:04:25,000 [root] DEBUG: DLL loaded at 0x730A0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-02-14 16:04:25,217 [root] DEBUG: DLL loaded at 0x73070000: C:\Windows\system32\WMI (0x3000 bytes).
2020-02-14 16:04:25,500 [root] DEBUG: DLL unloaded from 0x73400000.
2020-02-14 16:04:25,546 [root] DEBUG: DLL unloaded from 0x72C50000.
2020-02-14 16:04:25,592 [root] DEBUG: DLL unloaded from 0x73330000.
2020-02-14 16:04:34,233 [root] DEBUG: DLL unloaded from 0x75BD0000.
2020-02-14 16:04:42,358 [root] DEBUG: DLL unloaded from 0x76AC0000.
2020-02-14 16:04:44,280 [root] DEBUG: DLL unloaded from 0x73070000.
2020-02-14 16:04:49,437 [root] DEBUG: DLL unloaded from 0x76AC0000.
2020-02-14 16:05:13,578 [root] DEBUG: DLL unloaded from 0x73F40000.
2020-02-14 16:05:43,750 [root] DEBUG: DLL unloaded from 0x6D720000.
2020-02-14 16:05:43,796 [root] DEBUG: DLL unloaded from 0x72480000.
2020-02-14 16:05:43,842 [root] DEBUG: DLL unloaded from 0x73400000.
2020-02-14 16:05:43,905 [root] DEBUG: DLL unloaded from 0x72C50000.
2020-02-14 16:05:43,953 [root] DEBUG: DLL unloaded from 0x73330000.
2020-02-14 16:05:44,046 [root] DEBUG: DLL unloaded from 0x76AC0000.
2020-02-14 16:05:44,155 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2356
2020-02-14 16:05:44,203 [root] DEBUG: GetHookCallerBase: thread 532 (handle 0x0), return address 0x011FA976, allocation base 0x011C0000.
2020-02-14 16:05:44,250 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x011C0000.
2020-02-14 16:05:44,296 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:05:44,342 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x011C0000.
2020-02-14 16:05:44,390 [root] DEBUG: DumpProcess: Module entry point VA is 0x0003A810.
2020-02-14 16:05:44,437 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2020-02-14 16:05:44,483 [root] DEBUG: DLL unloaded from 0x74270000.
2020-02-14 16:05:44,530 [root] DEBUG: DLL unloaded from 0x762A0000.
2020-02-14 16:05:44,578 [root] INFO: Notified of termination of process with pid 2356.
2020-02-14 16:06:50,171 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-02-14 16:06:50,171 [root] INFO: Created shutdown mutex.
2020-02-14 16:06:51,187 [lib.api.process] INFO: Terminate event set for process 1144
2020-02-14 16:06:51,250 [root] DEBUG: Terminate Event: Attempting to dump process 1144
2020-02-14 16:06:51,296 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2020-02-14 16:06:51,342 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:06:51,390 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-02-14 16:06:51,437 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2020-02-14 16:06:51,655 [root] INFO: Added new CAPE file to list with path: C:\cAmFxgrZc\CAPE\1144_1626363875161514522020
2020-02-14 16:06:51,703 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x13000.
2020-02-14 16:06:51,750 [root] DEBUG: Terminate Event: Skipping dump of process 1144
2020-02-14 16:06:51,750 [lib.api.process] INFO: Termination confirmed for process 1144
2020-02-14 16:06:51,750 [root] INFO: Terminate event set for process 1144.
2020-02-14 16:06:51,750 [lib.api.process] INFO: Terminate event set for process 2944
2020-02-14 16:06:51,796 [root] DEBUG: Terminate Event: Attempting to dump process 2944
2020-02-14 16:06:51,796 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1144
2020-02-14 16:06:51,842 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00300000.
2020-02-14 16:06:51,890 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-14 16:06:51,937 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00300000.
2020-02-14 16:06:51,983 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001609.
2020-02-14 16:06:52,030 [root] INFO: Added new CAPE file to list with path: C:\cAmFxgrZc\CAPE\2944_10610459205161514522020
2020-02-14 16:06:52,092 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1e00.
2020-02-14 16:06:52,140 [root] DEBUG: Terminate Event: Skipping dump of process 2944
2020-02-14 16:06:52,733 [lib.common.results] ERROR: Exception uploading file C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat to host: [Errno 10053] An established connection was aborted by the software in your host machine
2020-02-14 16:06:52,796 [root] WARNING: Unable to access file at path "C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp": [Errno 13] Permission denied: u'C:\\Users\\Rebecca\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.tmp'
2020-02-14 16:06:52,842 [lib.api.process] INFO: Termination confirmed for process 2944
2020-02-14 16:06:52,858 [root] INFO: Terminate event set for process 2944.
2020-02-14 16:06:52,858 [root] INFO: Shutting down package.
2020-02-14 16:06:52,858 [root] INFO: Stopping auxiliary modules.
2020-02-14 16:06:52,905 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2944
2020-02-14 16:06:53,467 [root] INFO: Finishing auxiliary modules.
2020-02-14 16:06:53,467 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 16:06:53,467 [root] WARNING: File at path "C:\cAmFxgrZc\debugger" does not exist, skip.
2020-02-14 16:06:53,467 [root] INFO: Analysis completed.

MalScore

10.0

Khalesi

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-14 15:01:47 2020-02-14 15:08:23

File Details

File Name pafish.exe
File Size 76800 bytes
File Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5 9159edb64c4a21d8888d088bf2db23f3
SHA1 124f46228d1e220d88ae5e9a24d6e713039a64f9
SHA256 2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5
SHA512 4b6d56b81dd3cd42bb53fc8d68b5c8ef0d6c85ebcc503cd042ae5c19e8965e6477f259a02bafb9c5c66956ae1023fc30e3be5bbcd526eacc8480f93d74c1ab7c
CRC32 6F030481
Ssdeep 1536:tI05L48IVDAQVzZpJyrOM1GhFNkYL2BxNRj:tI05LBIDAuztyrOMGTkrNRj
TrID None matched
ClamAV None matched
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1144 trigged the Yara rule 'vmdetect'
Possible date expiration check, exits too soon after checking local time
process: dllhost.exe, PID 3028
A process attempted to delay the analysis task.
Process: WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetTokenInformation
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CreateWellKnownSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EqualSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CopySid
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertSidToStringSidW
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemAlloc
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthorityCount
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthority
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCloseKey
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemFree
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateGuid
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromGUID2
DynamicLoader: ESENT.dll/JetSetSystemParameterW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegDeleteValueW
DynamicLoader: ESENT.dll/JetCreateInstance2W
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/ReadFileScatter
DynamicLoader: kernel32.dll/WriteFileGather
DynamicLoader: kernel32.dll/GetNLSVersion
DynamicLoader: kernel32.dll/IsNLSDefinedString
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: ESENT.dll/JetInit
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: kernel32.dll/GetVolumePathNameW
DynamicLoader: kernel32.dll/GetVolumeNameForVolumeMountPointW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: kernel32.dll/SetFileValidData
DynamicLoader: ESENT.dll/JetBeginSessionA
DynamicLoader: ESENT.dll/JetCreateDatabaseW
DynamicLoader: ESENT.dll/JetCreateTableW
DynamicLoader: ESENT.dll/JetCloseTable
DynamicLoader: ESENT.dll/JetDeleteTableW
DynamicLoader: ESENT.dll/JetCloseDatabase
DynamicLoader: ESENT.dll/JetEndSession
DynamicLoader: ESENT.dll/JetAttachDatabaseW
DynamicLoader: ESENT.dll/JetOpenDatabaseW
DynamicLoader: ESENT.dll/JetOpenTableW
DynamicLoader: ESENT.dll/JetCreateTableColumnIndexW
DynamicLoader: ESENT.dll/JetGetColumnInfoW
DynamicLoader: ESENT.dll/JetSetCurrentIndex2W
DynamicLoader: ESENT.dll/JetBeginTransaction
DynamicLoader: ESENT.dll/JetMakeKey
DynamicLoader: ESENT.dll/JetSeek
DynamicLoader: ESENT.dll/JetPrepareUpdate
DynamicLoader: ESENT.dll/JetRetrieveColumn
DynamicLoader: ESENT.dll/JetSetColumn
DynamicLoader: ESENT.dll/JetUpdate
DynamicLoader: ESENT.dll/JetCommitTransaction
DynamicLoader: ESENT.dll/JetRetrieveColumns
DynamicLoader: ESENT.dll/JetRollback
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ESENT.dll/JetMove
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoImpersonateClient
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoRevertToSelf
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetTokenInformation
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CopySid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EqualSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthorityCount
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthority
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventRegister
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventUnregister
DynamicLoader: Secur32.dll/GetUserNameExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCloseKey
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertSidToStringSidW
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueA
DynamicLoader: iertutil.dll/
DynamicLoader: iertutil.dll/
DynamicLoader: iertutil.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExA
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemAlloc
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: winhttp.dll/WinHttpCreateProxyResolver
DynamicLoader: iertutil.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegSetValueExW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: FastProx.dll/DllGetClassObject
DynamicLoader: FastProx.dll/DllCanUnloadNow
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: DEVOBJ.dll/DevObjCreateDeviceInfoList
DynamicLoader: DEVOBJ.dll/DevObjGetClassDevs
DynamicLoader: DEVOBJ.dll/DevObjEnumDeviceInfo
DynamicLoader: DEVOBJ.dll/DevObjDestroyDeviceInfoList
DynamicLoader: CFGMGR32.dll/CM_Connect_MachineA
DynamicLoader: CFGMGR32.dll/CM_Disconnect_Machine
DynamicLoader: CFGMGR32.dll/CM_Locate_DevNodeW
DynamicLoader: CFGMGR32.dll/CM_Get_DevNode_Registry_PropertyW
DynamicLoader: CFGMGR32.dll/CM_Get_Child
DynamicLoader: CFGMGR32.dll/CM_Get_Sibling
DynamicLoader: CFGMGR32.dll/CM_Get_DevNode_Status
DynamicLoader: CFGMGR32.dll/CM_Get_First_Log_Conf
DynamicLoader: CFGMGR32.dll/CM_Get_Next_Res_Des
DynamicLoader: CFGMGR32.dll/CM_Get_Res_Des_Data
DynamicLoader: CFGMGR32.dll/CM_Get_Res_Des_Data_Size
DynamicLoader: CFGMGR32.dll/CM_Free_Log_Conf_Handle
DynamicLoader: CFGMGR32.dll/CM_Free_Res_Des_Handle
DynamicLoader: CFGMGR32.dll/CM_Get_Device_IDA
DynamicLoader: CFGMGR32.dll/CM_Get_Device_ID_Size
DynamicLoader: CFGMGR32.dll/CM_Get_Parent
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WMI.DLL/WmiQueryAllDataW
DynamicLoader: WMI.DLL/WmiQuerySingleInstanceW
DynamicLoader: WMI.DLL/WmiSetSingleItemW
DynamicLoader: WMI.DLL/WmiSetSingleInstanceW
DynamicLoader: WMI.DLL/WmiExecuteMethodW
DynamicLoader: WMI.DLL/WmiNotificationRegistrationW
DynamicLoader: WMI.DLL/WmiMofEnumerateResourcesW
DynamicLoader: WMI.DLL/WmiFileHandleToInstanceNameW
DynamicLoader: WMI.DLL/WmiDevInstToInstanceNameW
DynamicLoader: WMI.DLL/WmiQueryGuidInformation
DynamicLoader: WMI.DLL/WmiOpenBlock
DynamicLoader: WMI.DLL/WmiCloseBlock
DynamicLoader: WMI.DLL/WmiFreeBuffer
DynamicLoader: WMI.DLL/WmiEnumerateGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.85, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES, raw_size: 0x00009000, virtual_size: 0x00008ef0
Queries information on disks, possibly for anti-virtualization
Detects Sandboxie through the presence of a library
Detects the presence of Wine emulator via function name
Detects VirtualBox through the presence of a window
window: VBoxTrayToolWndClass
Detects VirtualBox using WNetGetProviderName trick
Creates a hidden or system file
file: C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache
Detects the presence of Wine emulator via registry key
Detects Joe or Anubis Sandboxes through the presence of a file
File has been identified by 37 Antiviruses on VirusTotal as malicious
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
SUPERAntiSpyware: Trojan.Agent/Gen-ParanoidFish
Sangfor: Malware
Alibaba: Trojan:Win32/Khalesi.9e4b014c
K7GW: Unwanted-Program ( 004d38111 )
K7AntiVirus: Unwanted-Program ( 004d38111 )
Cyren: W32/Maskit.A.gen!Eldorado
ESET-NOD32: a variant of Win32/ParanoidFish.A potentially unsafe
APEX: Malicious
Kaspersky: Trojan.Win32.Khalesi.oq
NANO-Antivirus: Trojan.Win32.Khalesi.fdxhjb
Paloalto: generic.ml
ViRobot: Trojan.Win32.Z.Khalesi.76800
Tencent: Win32.Trojan.Khalesi.Hquz
Sophos: Troj/AutoG-DV
Zillya: Trojan.Khalesi.Win32.1493
Invincea: heuristic
Trapmine: malicious.high.ml.score
Ikarus: Trojan.Win32.Khalesi
F-Prot: W32/Maskit.A.gen!Eldorado
Jiangmin: Trojan.Khalesi.as
Webroot: W32.Trojan.Gen
Endgame: malicious (high confidence)
AegisLab: Trojan.Win32.Khalesi.tpxB
ZoneAlarm: Trojan.Win32.Khalesi.oq
TACHYON: Trojan/W32.Khalesi.76800
AhnLab-V3: PUP/Win32.ParanoidFish.R289290
VBA32: BScope.Trojan.Khalesi
ALYac: Trojan.Khalesi.gen
MAX: malware (ai score=63)
Rising: Trojan.Khalesi!8.F103 (CLOUD)
Yandex: Trojan.Khalesi!
Fortinet: W32/Fareit.A
MaxSecure: Trojan.Malware.11782770.susgen
AVG: FileRepMalware [PUP]
Qihoo-360: Win32/Trojan.0dd
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a device
Detects VirtualBox through the presence of a file
file: C:\Windows\System32\vboxdisp.dll
file: C:\Windows\System32\vboxhook.dll
file: C:\Windows\System32\vboxmrxnp.dll
file: C:\Windows\System32\vboxogl.dll
file: C:\Windows\System32\vboxoglarrayspu.dll
file: C:\Windows\System32\vboxoglcrutil.dll
file: C:\Windows\System32\vboxoglerrorspu.dll
file: C:\Windows\System32\vboxoglfeedbackspu.dll
file: C:\Windows\System32\vboxoglpackspu.dll
file: C:\Windows\System32\vboxoglpassthroughspu.dll
file: C:\Windows\System32\drivers\VBoxSF.sys
file: C:\Windows\System32\VBoxControl.exe
file: C:\Windows\System32\vboxservice.exe
file: C:\Windows\System32\vboxtray.exe
file: C:\Windows\System32\drivers\VBoxGuest.sys
file: C:\Windows\System32\drivers\VBoxMouse.sys
file: C:\Windows\System32\drivers\VBoxVideo.sys
Detects VirtualBox through the presence of a registry key
Detects VMware through the presence of a device
Detects VMware through the presence of a file
Detects VMware through the presence of a registry key
Collects information to fingerprint the system

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Rebecca\AppData\Local\Temp\pafish.log
C:\Users\Rebecca\AppData\Local\Temp\hi_CPU_VM_rdtsc_force_vm_exit
C:\sample.exe
C:\malware.exe
\??\PhysicalDrive0
C:\
C:\Windows\System32\drivers\VBoxMouse.sys
C:\Windows\System32\drivers\VBoxGuest.sys
C:\Windows\System32\drivers\VBoxSF.sys
C:\Windows\System32\drivers\VBoxVideo.sys
C:\Windows\System32\vboxdisp.dll
C:\Windows\System32\vboxhook.dll
C:\Windows\System32\vboxmrxnp.dll
C:\Windows\System32\vboxogl.dll
C:\Windows\System32\vboxoglarrayspu.dll
C:\Windows\System32\vboxoglcrutil.dll
C:\Windows\System32\vboxoglerrorspu.dll
C:\Windows\System32\vboxoglfeedbackspu.dll
C:\Windows\System32\vboxoglpackspu.dll
C:\Windows\System32\vboxoglpassthroughspu.dll
C:\Windows\System32\vboxservice.exe
C:\Windows\System32\vboxtray.exe
C:\Windows\System32\VBoxControl.exe
C:\program files\oracle\virtualbox guest additions\
\??\VBoxMiniRdrDN
\??\pipe\VBoxMiniRdDN
\??\VBoxTrayIPC
\??\pipe\VBoxTrayIPC
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\drivers\vmmouse.sys
C:\Windows\System32\drivers\vmhgfs.sys
\??\HGFS
\??\vmci
C:\Windows\Temp
C:\Users\Rebecca\AppData\Local\Temp
\Device\KsecDD
C:\Windows\Registration\R000000000009.clb
C:\Users\Rebecca\AppData\Local\Microsoft\Feeds Cache\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\IECompatCache\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\iecompatuaCache\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\IETldCache\
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019020220190203\
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019020320190204\
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache
C:\Program Files\Internet Explorer\sqmapi.dll
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sqm
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCacheLock.dat
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache.old
C:\Users\Rebecca\AppData\Local\Microsoft\Windows
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\
C:\Users\Rebecca\AppData\Local\Microsoft
C:\Users\Rebecca\AppData\Local\Microsoft\
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\
C:\Users\Rebecca
C:\Users\Rebecca\
C:\Users
C:\Users\
C:
\??\MountPointManager
\??\Volume{210acb58-272f-11e9-8326-806e6f6e6963}
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.chk
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.jcp
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01*.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01*.jtx
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.jtx
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01tmp.jtx
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\res1.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\res2.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res*.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Cookies\container.dat
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
\??\Nsi
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\wbem\Logs\
\??\WMIDataDevice
\??\PhysicalDrive0
\??\VBoxMiniRdrDN
\??\pipe\VBoxMiniRdDN
\??\VBoxTrayIPC
\??\pipe\VBoxTrayIPC
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\HGFS
\??\vmci
\Device\KsecDD
C:\Windows\Registration\R000000000009.clb
C:\Program Files\Internet Explorer\sqmapi.dll
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCacheLock.dat
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.chk
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.jcp
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.jtx
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Cookies\container.dat
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
C:\Users\Rebecca\AppData\Local\Temp\hi_CPU_VM_rdtsc_force_vm_exit
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache.old
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.chk
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.jcp
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Cookies\container.dat
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\Device\KsecDD
\??\WMIDataDevice
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.chk
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\res1.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\res2.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\SOFTWARE\Wine
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\HARDWARE\Description\System
\xef\xb6\xb8\xc5\xbcEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxSF
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
\xef\xb6\xb8\xc5\xbcEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\pafish.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
\xe3\x96\x90\xc4\xbdEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002_Classes
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002_CLASSES\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\AppID
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002_CLASSES\AppID\{3EB3C877-1F16-487C-9050-104DBCD66683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3EB3C877-1F16-487C-9050-104DBCD66683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\ProfileImagePath
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Environment
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Volatile Environment
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Volatile Environment\0
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\AppID\{3EB3C877-1F16-487C-9050-104DBCD66683}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\Interface\{A168AADC-1674-49DA-AD4F-4F27DF8760D0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CacheRepair
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\StudyId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\StudyId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelemetryClient\SampleStore\sqm\Windows\winsqm8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelemetryClient\SampleStore\sqm\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelemetryClient\SampleStore\sqm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelemetryClient\SampleStore
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_CURRENT_USER\Software\Microsoft\SQMClient
HKEY_CURRENT_USER\Software\Microsoft\SQMClient\UserId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\DatabaseCorrupt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CleanupDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\DependencyEntryExpiryTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContainerExpiryTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\TotalContentLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\AppContainerTotalContentLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\AppContainerContentLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\Preference
HKEY_CURRENT_USER\Software\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\System\Setup
\xe6\x96\x90\xc4\xafEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
\xef\xb6\xb8\xc5\xbcEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
\xef\xb6\xb8\xc5\xbcEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
\xe3\x96\x90\xc4\xbdEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\ProfileImagePath
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompatua\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020220190203\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\EntryMaxAge
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019020320190204\CacheRepair
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\StudyId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\StudyId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_CURRENT_USER\Software\Microsoft\SQMClient\UserId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\DatabaseCorrupt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CleanupDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\DependencyEntryExpiryTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContainerExpiryTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\TotalContentLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\AppContainerTotalContentLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\AppContainerContentLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\State
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
\xe6\xa0\xa8\xc5\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe6\x96\x90\xc4\xafEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{217F9A34-6877-48BF-9D7C-041DD9749A69}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{76C2F461-B936-4B5D-B335-1777355B83DB}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A65F788A-4DB8-4D19-9416-0CC73EFC9B6D}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{E514ECB9-6A7F-4A2F-8E1B-C9E2A9154B09}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\DatabaseCorrupt
kernel32.dll.IsWow64Process
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ntdll.dll.EtwUnregisterTraceGuids
oleaut32.dll.#500
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
wininet.dll.DllGetClassObject
wininet.dll.DllCanUnloadNow
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetTokenInformation
api-ms-win-downlevel-advapi32-l1-1-0.dll.CreateWellKnownSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.EqualSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.CopySid
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertSidToStringSidW
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemAlloc
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthorityCount
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthority
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCloseKey
shell32.dll.SHGetKnownFolderPath
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemFree
sqmapi.dll.SqmGetSession
sqmapi.dll.SqmEndSession
sqmapi.dll.SqmStartSession
sqmapi.dll.SqmIsWindowsOptedIn
sqmapi.dll.SqmSetAppId
sqmapi.dll.SqmSetAppVersion
sqmapi.dll.SqmSetMachineId
sqmapi.dll.SqmSetUserId
sqmapi.dll.SqmCreateNewId
sqmapi.dll.SqmReadSharedMachineId
sqmapi.dll.SqmReadSharedUserId
sqmapi.dll.SqmWriteSharedMachineId
sqmapi.dll.SqmWriteSharedUserId
sqmapi.dll.SqmAddToStreamDWord
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateGuid
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromGUID2
esent.dll.JetSetSystemParameterW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegDeleteValueW
esent.dll.JetCreateInstance2W
kernel32.dll.QueueUserWorkItem
kernel32.dll.ReadFileScatter
kernel32.dll.WriteFileGather
kernel32.dll.GetNLSVersion
kernel32.dll.IsNLSDefinedString
kernel32.dll.GetVolumePathNameW
kernel32.dll.GetVolumeNameForVolumeMountPointW
esent.dll.JetInit
advapi32.dll.OpenProcessToken
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.SetFileValidData
esent.dll.JetBeginSessionA
esent.dll.JetCreateDatabaseW
esent.dll.JetCreateTableW
esent.dll.JetCloseTable
esent.dll.JetDeleteTableW
esent.dll.JetCloseDatabase
esent.dll.JetEndSession
esent.dll.JetAttachDatabaseW
esent.dll.JetOpenDatabaseW
esent.dll.JetOpenTableW
esent.dll.JetCreateTableColumnIndexW
esent.dll.JetGetColumnInfoW
esent.dll.JetSetCurrentIndex2W
esent.dll.JetBeginTransaction
esent.dll.JetMakeKey
esent.dll.JetSeek
esent.dll.JetPrepareUpdate
esent.dll.JetRetrieveColumn
esent.dll.JetSetColumn
esent.dll.JetUpdate
esent.dll.JetCommitTransaction
esent.dll.JetRetrieveColumns
esent.dll.JetRollback
sechost.dll.ConvertSidToStringSidW
esent.dll.JetMove
api-ms-win-downlevel-ole32-l1-1-0.dll.CoImpersonateClient
api-ms-win-downlevel-ole32-l1-1-0.dll.CoRevertToSelf
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventRegister
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventUnregister
secur32.dll.GetUserNameExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueA
iertutil.dll.#701
iertutil.dll.#703
iertutil.dll.#702
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExA
ws2_32.dll.#115
ws2_32.dll.#111
iertutil.dll.#791
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegSetValueExW
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
oleaut32.dll.#4
oleaut32.dll.#7
advapi32.dll.RegOpenKeyW
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.CoRevertToSelf
sspicli.dll.LogonUserExExW
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoSwitchCallContext
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
kernel32.dll.RegCreateKeyExW
ntdll.dll.EtwRegisterTraceGuidsW
ntmarta.dll.GetMartaExtensionInterface
devobj.dll.DevObjCreateDeviceInfoList
devobj.dll.DevObjGetClassDevs
devobj.dll.DevObjEnumDeviceInfo
devobj.dll.DevObjDestroyDeviceInfoList
cfgmgr32.dll.CM_Connect_MachineA
cfgmgr32.dll.CM_Disconnect_Machine
cfgmgr32.dll.CM_Locate_DevNodeW
cfgmgr32.dll.CM_Get_DevNode_Registry_PropertyW
cfgmgr32.dll.CM_Get_Child
cfgmgr32.dll.CM_Get_Sibling
cfgmgr32.dll.CM_Get_DevNode_Status
cfgmgr32.dll.CM_Get_First_Log_Conf
cfgmgr32.dll.CM_Get_Next_Res_Des
cfgmgr32.dll.CM_Get_Res_Des_Data
cfgmgr32.dll.CM_Get_Res_Des_Data_Size
cfgmgr32.dll.CM_Free_Log_Conf_Handle
cfgmgr32.dll.CM_Free_Res_Des_Handle
cfgmgr32.dll.CM_Get_Device_IDA
cfgmgr32.dll.CM_Get_Device_ID_Size
cfgmgr32.dll.CM_Get_Parent
oleaut32.dll.#15
oleaut32.dll.#26
oleaut32.dll.#16
oleaut32.dll.#23
oleaut32.dll.#24
wmi.dll.WmiQueryAllDataW
wmi.dll.WmiQuerySingleInstanceW
wmi.dll.WmiSetSingleItemW
wmi.dll.WmiSetSingleInstanceW
wmi.dll.WmiExecuteMethodW
wmi.dll.WmiNotificationRegistrationW
wmi.dll.WmiMofEnumerateResourcesW
wmi.dll.WmiFileHandleToInstanceNameW
wmi.dll.WmiDevInstToInstanceNameW
wmi.dll.WmiQueryGuidInformation
wmi.dll.WmiOpenBlock
wmi.dll.WmiCloseBlock
wmi.dll.WmiFreeBuffer
wmi.dll.WmiEnumerateGuids
oleaut32.dll.#8
oleaut32.dll.#9
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
{A38ECF16-ECA5-4DE0-A21F-BEC24F4DF84D}_S-1-5-21-479431668-4257340731-3059248302-1002

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x004014e0
Reported Checksum 0x00012d9a
Actual Checksum 0x00012d9a
Minimum OS Version 4.0
Compile Time 2016-08-27 11:37:13
Import Hash 5fd4caa76ea3c961f2d530674634f64d
Icon
Icon Exact Hash 66ca2c511eec61a6998ce35c0ffc6e7f
Icon Similarity Hash b7d6aa08bca775a10218eef9e5325e51

Version Infos

LegalCopyright
InternalName
FileVersion
CompanyName
LegalTrademarks
ProductName Paranoid Fish
ProductVersion
FileDescription Paranoid Fish is paranoid
OriginalFilename
Translation 0x0409 0x04e4

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00004f04 0x00005000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 5.84
.data 0x00006000 0x00000030 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.52
.rdata 0x00007000 0x000032b8 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 5.84
.bss 0x0000b000 0x00000400 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x0000c000 0x00000d24 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.76
.CRT 0x0000d000 0x00000034 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.27
.tls 0x0000e000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.20
.rsrc 0x0000f000 0x00008ef0 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 7.85

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_ICON 0x00017a10 0x000001f1 LANG_ENGLISH SUBLANG_ENGLISH_US 7.42 PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON 0x00017c08 0x0000005a LANG_ENGLISH SUBLANG_ENGLISH_US 2.99 data
RT_VERSION 0x00017c68 0x00000288 LANG_ENGLISH SUBLANG_ENGLISH_US 3.14 data

Imports

Library ADVAPI32.dll:
0x40c2a8 GetUserNameA
0x40c2ac RegCloseKey
0x40c2b0 RegOpenKeyExA
0x40c2b4 RegQueryValueExA
Library IPHLPAPI.DLL:
Library KERNEL32.dll:
0x40c2c4 CloseHandle
0x40c2c8 CreateFileA
0x40c2cc CreateProcessA
0x40c2d8 DeleteFileW
0x40c2dc DeviceIoControl
0x40c2e8 GetCurrentProcess
0x40c2ec GetCurrentProcessId
0x40c2f0 GetCurrentThreadId
0x40c2f4 GetDiskFreeSpaceExA
0x40c2f8 GetDriveTypeA
0x40c2fc GetFileAttributesA
0x40c300 GetLastError
0x40c308 GetModuleFileNameA
0x40c30c GetModuleHandleA
0x40c310 GetProcAddress
0x40c314 GetStartupInfoA
0x40c318 GetStdHandle
0x40c31c GetSystemInfo
0x40c324 GetTickCount
0x40c328 GetVersionExA
0x40c334 IsDebuggerPresent
0x40c33c LocalAlloc
0x40c340 LocalFree
0x40c344 OutputDebugStringA
0x40c348 Process32First
0x40c34c Process32Next
0x40c358 SetLastError
0x40c360 Sleep
0x40c364 TerminateProcess
0x40c368 TlsGetValue
0x40c370 VirtualProtect
0x40c374 VirtualQuery
0x40c378 lstrcmpiA
Library MPR.DLL:
Library msvcrt.dll:
0x40c388 __dllonexit
0x40c38c __getmainargs
0x40c390 __initenv
0x40c394 __lconv_init
0x40c398 __set_app_type
0x40c39c __setusermatherr
0x40c3a0 _acmdln
0x40c3a4 _amsg_exit
0x40c3a8 _cexit
0x40c3ac _fmode
0x40c3b0 _initterm
0x40c3b4 _iob
0x40c3b8 _lock
0x40c3bc _onexit
0x40c3c0 calloc
0x40c3c4 exit
0x40c3c8 fclose
0x40c3cc fopen
0x40c3d0 fprintf
0x40c3d4 fputs
0x40c3d8 free
0x40c3dc fwrite
0x40c3e0 getchar
0x40c3e4 malloc
0x40c3e8 mbstowcs
0x40c3ec memcmp
0x40c3f0 memcpy
0x40c3f4 printf
0x40c3f8 puts
0x40c3fc signal
0x40c400 sprintf
0x40c404 strlen
0x40c408 strncat
0x40c40c strncmp
0x40c410 strncpy
0x40c414 strstr
0x40c418 _unlock
0x40c41c abort
0x40c420 toupper
0x40c424 vfprintf
0x40c428 wcsstr
0x40c42c _vsnprintf
Library ole32.dll:
0x40c434 CoCreateInstance
0x40c438 CoInitializeEx
0x40c440 CoUninitialize
Library OLEAUT32.dll:
0x40c448 SysAllocString
0x40c44c SysFreeString
Library SHELL32.dll:
0x40c454 ShellExecuteExW
Library USER32.dll:
0x40c45c FindWindowA
0x40c460 GetCursorPos
Library WS2_32.dll:
0x40c468 freeaddrinfo
0x40c46c getaddrinfo

.text
P`.data
.rdata
.idata
.rsrc
libgcj-16.dll
_Jv_RegisterClasses
Start
analysis-start
%lu.%lu build %lu
Windows version: %s
CPU: %s (HV: %s) %s
CPU: %s %s
Debuggers detection
hi_debugger_isdebuggerpresent
Debugger traced using IsDebuggerPresent()
Using IsDebuggerPresent()
hi_debugger_outputdebugstring
Debugger traced using OutputDebugString()
Using OutputDebugString()
CPU information based detections
hi_CPU_VM_rdtsc
CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)
Checking the difference between CPU timestamp counters (rdtsc)
hi_CPU_VM_rdtsc_force_vm_exit
CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
hi_CPU_VM_hypervisor_bit
CPU VM traced by checking hypervisor bit in cpuid feature bits
Checking hypervisor bit in cpuid feature bits
hi_CPU_VM_hv_vendor_name
CPU VM traced by checking cpuid hypervisor vendor for known VM vendors
Checking cpuid hypervisor vendor for known VM vendors
Generic sandbox detection
hi_sandbox_mouse_act
Sandbox traced using mouse activity
Using mouse activity
hi_sandbox_username
Sandbox traced by checking username
Checking username
hi_sandbox_path
Sandbox traced by checking file path
Checking file path
hi_sandbox_common_names
Sandbox traced by checking common sample names in drives root
Checking common sample names in drives root
hi_sandbox_drive_size
Sandbox traced by checking disk size <= 60GB via DeviceIoControl()
Checking if disk size <= 60GB via DeviceIoControl()
hi_sandbox_drive_size2
Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()
Checking if disk size <= 60GB via GetDiskFreeSpaceExA()
hi_sandbox_sleep_gettickcount
Sandbox traced by checking if Sleep() was patched using GetTickCount()
Checking if Sleep() is patched using GetTickCount()
hi_sandbox_NumberOfProcessors_less_2_raw
Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access
Checking if NumberOfProcessors is < 2 via raw access
hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo
Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()
Checking if NumberOfProcessors is < 2 via GetSystemInfo()
hi_sandbox_pysicalmemory_less_1Gb
Sandbox traced by checking if pysical memory is less than 1Gb
Checking if pysical memory is < 1Gb
hi_sandbox_uptime
Sandbox traced by checking operating system uptime using GetTickCount()
Checking operating system uptime using GetTickCount()
hi_sandbox_IsNativeVhdBoot
Sandbox traced by checking IsNativeVhdBoot()
Checking if operating system IsNativeVhdBoot()
Hooks detection
hi_hooks_shellexecuteexw_m1
Hooks traced using ShellExecuteExW method 1
Checking function ShellExecuteExW method 1
hi_hooks_createprocessa_m1
Hooks traced using CreateProcessA method 1
Checking function CreateProcessA method 1
Sandboxie detection
hi_sandboxie
Sandboxie traced using GetModuleHandle(sbiedll.dll)
Using GetModuleHandle(sbiedll.dll)
Wine detection
hi_wine
Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
Wine traced using Reg key HKCU\SOFTWARE\Wine
Reg key (HKCU\SOFTWARE\Wine)
VirtualBox detection
hi_virtualbox
VirtualBox traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Scsi port->bus->target id->logical unit id-> 0 identifier
VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion")
VirtualBox traced using Reg key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions)
VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "VideoBiosVersion"
Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion")
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__)
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\FADT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__)
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\RSDT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__)
Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*)
VirtualBox traced using Reg key HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate"
Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate")
Driver files in C:\WINDOWS\system32\drivers\VBox*
Additional system files
VirtualBox traced using MAC address starting with 08:00:27
Looking for a MAC address starting with 08:00:27
Looking for pseudo devices
VirtualBox traced using VBoxTray windows
Looking for VBoxTray windows
VirtualBox traced using its network share
Looking for VBox network share
Looking for VBox processes (vboxservice.exe, vboxtray.exe)
VirtualBox device identifiers traced using WMI
Looking for VBox devices using WMI
VMware detection
hi_vmware
VMWare traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0,1,2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier
VMware traced using Reg key HKLM\SOFTWARE\VMware, Inc.\VMware Tools
Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools)
VMware traced using file C:\WINDOWS\system32\drivers\vmmouse.sys
Looking for C:\WINDOWS\system32\drivers\vmmouse.sys
VMware traced using file C:\WINDOWS\system32\drivers\vmhgfs.sys
Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys
VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56
Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56
VMware traced using network adapter name
Looking for network adapter name
VMware serial number traced using WMI
Looking for VMware serial number
Qemu detection
hi_qemu
Qemu traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Qemu traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Qemu traced using CPU brand string 'QEMU Virtual CPU'
cpuid CPU brand string 'QEMU Virtual CPU'
Bochs detection
hi_bochs
Bochs traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Bochs traced using CPU AMD wrong value for processor name
cpuid AMD wrong value for processor name
Bochs traced using CPU Intel wrong value for processor name
cpuid Intel wrong value for processor name
Cuckoo detection
hi_cuckoo
Cuckoo hooks information structure traced in the TLS
Looking in the TLS for the hooks information structure
[-] Feel free to RE me, check log file for more information.
analysis-end
* Pafish (
Paranoid fish
Some anti(debugger/VM/sandbox) tricks
traced!
[pafish] %s
pafish.log
[*] %s ...
kernel32
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
IsWow64Process
useless
sbiedll.dll
Identifier
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
SystemBiosVersion
HARDWARE\Description\System
SOFTWARE\Oracle\VirtualBox Guest Additions
VIRTUALBOX
VideoBiosVersion
HARDWARE\ACPI\DSDT\VBOX__
HARDWARE\ACPI\FADT\VBOX__
HARDWARE\ACPI\RSDT\VBOX__
SYSTEM\ControlSet001\Services\VBoxGuest
SYSTEM\ControlSet001\Services\VBoxMouse
SYSTEM\ControlSet001\Services\VBoxService
SYSTEM\ControlSet001\Services\VBoxSF
SYSTEM\ControlSet001\Services\VBoxVideo
VirtualBox traced using Reg key HKLM\%s
06/23/99
SystemBiosDate
HARDWARE\DESCRIPTION\System
C:\WINDOWS\system32\drivers\VBoxMouse.sys
C:\WINDOWS\system32\drivers\VBoxGuest.sys
C:\WINDOWS\system32\drivers\VBoxSF.sys
C:\WINDOWS\system32\drivers\VBoxVideo.sys
VirtualBox traced using driver file %s
C:\WINDOWS\system32\vboxdisp.dll
C:\WINDOWS\system32\vboxhook.dll
C:\WINDOWS\system32\vboxmrxnp.dll
C:\WINDOWS\system32\vboxogl.dll
C:\WINDOWS\system32\vboxoglarrayspu.dll
C:\WINDOWS\system32\vboxoglcrutil.dll
C:\WINDOWS\system32\vboxoglerrorspu.dll
C:\WINDOWS\system32\vboxoglfeedbackspu.dll
C:\WINDOWS\system32\vboxoglpackspu.dll
C:\WINDOWS\system32\vboxoglpassthroughspu.dll
C:\WINDOWS\system32\vboxservice.exe
C:\WINDOWS\system32\vboxtray.exe
C:\WINDOWS\system32\VBoxControl.exe
C:\program files\oracle\virtualbox guest additions\
VirtualBox traced using system file %s
\\.\VBoxMiniRdrDN
\\.\pipe\VBoxMiniRdDN
\\.\VBoxTrayIPC
\\.\pipe\VBoxTrayIPC
VirtualBox traced using device %s
VBoxTrayToolWndClass
VBoxTrayToolWnd
VirtualBox Shared Folders
vboxservice.exe
VirtualBox traced using vboxservice.exe process
vboxtray.exe
VirtualBox traced using vboxtray.exe process
SANDBOX
VIRUS
MALWARE
\SAMPLE
\VIRUS
%ssample.exe
%smalware.exe
\\.\PhysicalDrive0
kernel32
IsNativeVhdBoot
kernel32.dll
wine_get_unix_file_name
SOFTWARE\Wine
VMWARE
Identifier
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
SOFTWARE\VMware, Inc.\VMware Tools
C:\WINDOWS\system32\drivers\vmmouse.sys
C:\WINDOWS\system32\drivers\vmhgfs.sys
VMware
\\.\HGFS
\\.\vmci
VMWare traced using device %s
Identifier
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
SystemBiosVersion
HARDWARE\Description\System
QEMU Virtual CPU
%c%c%c%c
KVMKVMKVM
Microsoft Hv
VMwareVMware
XenVMMXenVMM
prl hyperv
VBoxVBoxVBox
BOCHS
SystemBiosVersion
HARDWARE\Description\System
AMD Athlon(tm) processor
Intel(R) Pentium(R) 4 CPU
Unknown error
Argument domain error (DOMAIN)
Argument singularity (SIGN)
Overflow range error (OVERFLOW)
The result is too small to be represented (UNDERFLOW)
Total loss of significance (TLOSS)
Partial loss of significance (PLOSS)
Address %p has no image-section
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 6.1.1 20160815
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 5.4.0 20160609
GCC: (GNU) 6.1.1 20160815
GetUserNameA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
GetAdaptersAddresses
CloseHandle
CreateFileA
CreateProcessA
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
GetConsoleScreenBufferInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetLastError
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GlobalMemoryStatusEx
InitializeCriticalSection
IsDebuggerPresent
LeaveCriticalSection
LocalAlloc
LocalFree
OutputDebugStringA
Process32First
Process32Next
QueryPerformanceCounter
SetConsoleTextAttribute
SetLastError
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
lstrcmpiA
WNetGetProviderNameA
__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_initterm
_lock
_onexit
calloc
fclose
fopen
fprintf
fputs
fwrite
getchar
malloc
mbstowcs
memcmp
memcpy
printf
signal
sprintf
strlen
strncat
strncmp
strncpy
strstr
_unlock
abort
toupper
vfprintf
wcsstr
_vsnprintf
CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoUninitialize
SysAllocString
SysFreeString
ShellExecuteExW
FindWindowA
GetCursorPos
freeaddrinfo
getaddrinfo
ADVAPI32.dll
IPHLPAPI.DLL
KERNEL32.dll
MPR.DLL
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WS2_32.dll
(p`3x
PxBo9
S&wv+b+
DeviceId
PCI\VEN_80EE&DEV_CAFE
root\cimv2
SELECT DeviceId FROM Win32_PnPEntity
sSerialNumber
VMware
root\cimv2
SELECT SerialNumber FROM Win32_Bios
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
FileVersion
FileDescription
Paranoid Fish is paranoid
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
Paranoid Fish
ProductVersion
VarFileInfo
Translation

Full Results

VirusTotal Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
Qihoo-360 Win32/Trojan.0dd
McAfee Clean
Cylance Unsafe
Zillya Trojan.Khalesi.Win32.1493
AegisLab Trojan.Win32.Khalesi.tpxB
Sangfor Malware
CrowdStrike Clean
BitDefender Clean
K7GW Unwanted-Program ( 004d38111 )
K7AntiVirus Unwanted-Program ( 004d38111 )
Invincea heuristic
BitDefenderTheta Clean
Cyren W32/Maskit.A.gen!Eldorado
Symantec Clean
ESET-NOD32 a variant of Win32/ParanoidFish.A potentially unsafe
Baidu Clean
APEX Malicious
Avast Clean
ClamAV Clean
Kaspersky Trojan.Win32.Khalesi.oq
Alibaba Trojan:Win32/Khalesi.9e4b014c
NANO-Antivirus Trojan.Win32.Khalesi.fdxhjb
ViRobot Trojan.Win32.Z.Khalesi.76800
Rising Trojan.Khalesi!8.F103 (CLOUD)
Ad-Aware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Trojan.Win32.Generic!BT
TrendMicro Clean
McAfee-GW-Edition Clean
Trapmine malicious.high.ml.score
FireEye Clean
Sophos Troj/AutoG-DV
SentinelOne Clean
F-Prot W32/Maskit.A.gen!Eldorado
Jiangmin Trojan.Khalesi.as
Webroot W32.Trojan.Gen
Avira Clean
MAX malware (ai score=63)
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Endgame malicious (high confidence)
Arcabit Clean
SUPERAntiSpyware Trojan.Agent/Gen-ParanoidFish
ZoneAlarm Trojan.Win32.Khalesi.oq
Avast-Mobile Clean
GData Clean
AhnLab-V3 PUP/Win32.ParanoidFish.R289290
Acronis Clean
VBA32 BScope.Trojan.Khalesi
ALYac Trojan.Khalesi.gen
TACHYON Trojan/W32.Khalesi.76800
Panda Clean
Zoner Clean
TrendMicro-HouseCall Clean
Tencent Win32.Trojan.Khalesi.Hquz
Yandex Trojan.Khalesi!
Ikarus Trojan.Win32.Khalesi
eGambit Clean
Fortinet W32/Fareit.A
AVG FileRepMalware [PUP]
Cybereason Clean
Paloalto generic.ml
MaxSecure Trojan.Malware.11782770.susgen

Process Tree


pafish.exe, PID: 1144, Parent PID: 1328
Full Path: C:\Users\Rebecca\AppData\Local\Temp\pafish.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\pafish.exe"
svchost.exe, PID: 556, Parent PID: 444
Full Path: C:\Windows\System32\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
dllhost.exe, PID: 2944, Parent PID: 556
Full Path: C:\Windows\System32\dllhost.exe
Command Line: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
dllhost.exe, PID: 3028, Parent PID: 556
Full Path: C:\Windows\System32\dllhost.exe
Command Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
svchost.exe, PID: 3492, Parent PID: 444
Full Path: C:\Windows\System32\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
WmiPrvSE.exe, PID: 2356, Parent PID: 556
Full Path: C:\Windows\System32\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.2 49199 192.0.2.123 443

UDP

Source Source Port Destination Destination Port
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 51997 1.1.1.1 53
192.168.1.2 58416 1.1.1.1 53
192.168.1.2 59272 1.1.1.1 53
192.168.1.2 59508 1.1.1.1 53
192.168.1.2 61182 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-14 15:05:05.029 192.168.1.2 [VT] 49176 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-14 15:06:04.539 192.168.1.2 [VT] 49199 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2
2020-02-14 15:06:10.939 192.168.1.2 [VT] 49200 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.2 49176 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.2 49199 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.2 49200 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
192.168.1.2 49200 192.0.2.123 443 67f9e6835a46017b668ace14afaaac17 unknown
File name V01tmp.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.log
File Size 524288 bytes
File Type data
MD5 650bd8b7d2f1a59938ac9c7fbf7d8c98
SHA1 526177999484fe544cb1e6c2eb0d8ddd89977f9c
SHA256 45575630f56d786cb04bd2f4a75ee77f9346d972cf80856fba91e31c6f24c3a1
CRC32 425714D7
Ssdeep 6:IuYQijYNBwi23oH+H1fNBwi23oH+H1PQmUw//Edta89:INQwYnwZYeVfnwZYeVPQ/wXEiU
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name V01.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01.log
File Size 524288 bytes
File Type data
MD5 696ab6a135afa8de7b2aee252762e590
SHA1 1aea745e2814753981630bc26db8417e4e6defc4
SHA256 5431f4c53e758151eb62dd54d2be823f028e58d752a1fa991640d008c00f8533
CRC32 4FE640FC
Ssdeep 384:/izmr+E4Uf6XrZZAv3VsgH1x/gXUWQMXBJvW:/izmrThf6Xre3V8RJvW
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name counters.dat
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
File Size 128 bytes
File Type data
MD5 ac248b35f01558d9b949a9f475d972a6
SHA1 e45689e2167f364757ad7cdf543623c40a241131
SHA256 8ef175051c187465c0d4d4dffeb62fa8311f34a725e2297bc35219572c8ce011
CRC32 ECB4BD99
Ssdeep 3:pl1:
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 58 bytes
File Type ASCII text, with CRLF line terminators
MD5 2498aa8594578b3024d201e4a6215fd8
SHA1 19145b1afc173f3c2f23b46b85f24c81612e4a7b
SHA256 391e8e82927160795fcbf13b18a16e2e0fcf95dc89686415f48b2f70acc1c2fa
CRC32 F6E8588A
Ssdeep 3:tuDqF2iev+MXqFyKMyLKO9x6U:tueRevL6NM2KOX/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601

BinGraph

File name WebCacheV01.dat
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
File Size 10485775 bytes
File Type Extensible storage engine DataBase, version 0x620, checksum 0x40cf0901, page size 32768, DirtyShutdown, Windows version 6.1
MD5 caf6e09983b3343b58f7c8bf7a18ced1
SHA1 45af05dada0b63208603c375878287234ede2ec8
SHA256 a85456c01736814c4950eb295eb28caa0509bebee360a6cd69582458d774e807
CRC32 34AFF6C9
Ssdeep 192:Hv3v2ppwUnWpRZSTBzyxz5+lg8+lX2ppwUnWpRZSTBzySai+5XyCZvM:Hvf2UaM+1yt2UaM+1ySaieyCJM
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 16 bytes
File Type ASCII text, with CRLF line terminators
MD5 e8136b3426aeb7ab0dfee03dc5c99edc
SHA1 bfa28abc7d43bd3674c498bcde12534cc2f7da14
SHA256 106a0427f1700dd692c87477ee714f12e6cd0b35408307f05552a65eda46e721
CRC32 6149EF81
Ssdeep 3:tuDqF2iB:tueRB
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start

BinGraph

File name V01res00001.jrs
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs
File Size 524288 bytes
File Type data
MD5 70c19455f580dd8a5ae98a491acd68a2
SHA1 f33b5900aab5ee066b2a7fed8d91ff0b839b4e7a
SHA256 fa00de3eafaee0a950c20568333d4e10f7207bc0bd3914c7985eda0cf2c18808
CRC32 9B4AEB6B
Ssdeep 3:P//3/////////P/X////////f/X////////3//3////////v/////////ff////X:n
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 240 bytes
File Type ASCII text, with CRLF line terminators
MD5 2f251b205ef81a906761bf683fb13763
SHA1 00bcc13c6826f42a56921ca74bf37a46b93f6123
SHA256 026000fd89c44ec5bdbbc8db9b4968b2dd35f58bd78206795d9968cf0c0108bd
CRC32 FD9E2972
Ssdeep 6:tueRevL6NM2KOXrOXNlHMYDkfSv+81+DeO0gLLCmF:tx4D6aBO7OXfsPqMeO0gLLCmF
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601
[pafish] CPU: GenuineIntel Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit

BinGraph

File name WebCacheV01.dat
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
File Size 8454144 bytes
File Type Extensible storage engine DataBase, version 0x620, checksum 0x40cf0901, page size 32768, DirtyShutdown, Windows version 6.1
MD5 b1923a20186a9c968c10bd3f0e5d13f8
SHA1 eb4d2fff409819995efa52b0d048f8facd6b540a
SHA256 fac0fcb164790e653624d722c71ae5d30822be0be1f92166128728257b61ce01
CRC32 6086ED6B
Ssdeep 192:Hv3v2ppwUnWpRZSTBzyxz5+lg8+lZ+2ppwUnWpRZSTBzyA:Hvf2UaM+1yO2UaM+1yA
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name pafish.log
Associated Filenames
C:\Users\Rebecca\AppData\Local\Temp\pafish.log
File Size 134 bytes
File Type ASCII text, with CRLF line terminators
MD5 720be7afb64c04328ad4bbd2412f12da
SHA1 673eabe90f7b72561fcdde936317f72f3fe4f5ca
SHA256 0e1bfeff755c90d62581918a6a15f419ccb44fc07cd62e18f7b4c95267731ff9
CRC32 66634B8C
Ssdeep 3:tuDqF2iev+MXqFyKMyLKO9x6AmqFm8jGXsaJlEuI1w/RKn:tueRevL6NM2KOXrOXNlHE
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file Display Text
[pafish] Start
[pafish] Windows version: 6.1 build 7601
[pafish] CPU: GenuineIntel Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz

BinGraph

File name WebCacheV01.dat
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
File Size 65536 bytes
File Type Extensible storage engine DataBase, version 0x620, checksum 0x73d20001, page size 32768, JustCreated, Windows version 0.0
MD5 b267e3bfafb5d564a830a73f2a00ba26
SHA1 583b7f6652593ee763ce964aa9a7c50e40e41454
SHA256 b3eabb28a47f5cd90b9cbdc4f573712cc2b3a7b7eeadb639019c3996edb3d056
CRC32 4452CC8C
Ssdeep 3:xzdl1UIdsUlYU8kltllplUUlfzdl1UIdsUlYU8kltllplUUl:pygs8GslLygs8Gsl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph

File name WebCacheV01.dat
Associated Filenames
C:\Users\Rebecca\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
File Size 8454144 bytes
File Type Extensible storage engine DataBase, version 0x620, checksum 0x73d20001, page size 32768, JustCreated, Windows version 0.0
MD5 19af73710d8168c7eb7e99da84ab79be
SHA1 cfb4547e0d8260d69681278feef41cc2e28b4754
SHA256 2e08f8aa158f278425d1c37997ab5710f1500c8089a87267da9880c2d02204b2
CRC32 A0E3921C
Ssdeep 192:nv2ppwUnWpRZSTBzyxz5+lg8+lZ+2ppwUnWpRZSTBzyA:v2UaM+1yO2UaM+1yA
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file

BinGraph