Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-23 05:58:24 2020-06-23 06:04:53 389 seconds Show Options Show Log
route = tor
2020-05-13 09:29:35,105 [root] INFO: Date set to: 20200623T05:58:23, timeout set to: 200
2020-06-23 05:58:23,093 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-06-23 05:58:23,093 [root] DEBUG: Storing results at: C:\LDUomCgWz
2020-06-23 05:58:23,093 [root] DEBUG: Pipe server name: \\.\PIPE\DCgsNnr
2020-06-23 05:58:23,093 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-23 05:58:23,093 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-23 05:58:23,109 [root] INFO: Automatically selected analysis package "exe"
2020-06-23 05:58:23,109 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-23 05:58:23,328 [root] DEBUG: Imported analysis package "exe".
2020-06-23 05:58:23,328 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-23 05:58:23,328 [root] DEBUG: Initialized analysis package "exe".
2020-06-23 05:58:23,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-23 05:58:23,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-23 05:58:23,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-23 05:58:24,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-23 05:58:24,062 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-23 05:58:24,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-23 05:58:24,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-23 05:58:24,390 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-23 05:58:24,390 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-23 05:58:24,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-23 05:58:24,484 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-23 05:58:24,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-23 05:58:24,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-23 05:58:24,671 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-23 05:58:24,671 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-23 05:58:24,671 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-23 05:58:24,671 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-23 05:58:24,671 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-23 05:58:24,671 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-23 05:58:24,796 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-23 05:58:24,796 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-23 05:58:28,156 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-23 05:58:28,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-23 05:58:28,281 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-23 05:58:28,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-23 05:58:28,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-23 05:58:28,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-23 05:58:28,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-23 05:58:28,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-23 05:58:28,312 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-23 05:58:28,328 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-23 05:58:28,328 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-23 05:58:28,328 [root] DEBUG: Started auxiliary module Browser
2020-06-23 05:58:28,328 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-23 05:58:28,328 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-23 05:58:28,328 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-23 05:58:28,328 [root] DEBUG: Started auxiliary module Curtain
2020-06-23 05:58:28,328 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-23 05:58:28,328 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-23 05:58:28,328 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-23 05:58:28,328 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-23 05:58:29,343 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-23 05:58:29,343 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-23 05:58:29,375 [root] DEBUG: Started auxiliary module DigiSig
2020-06-23 05:58:29,375 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-23 05:58:29,375 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-23 05:58:29,375 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-23 05:58:29,390 [root] DEBUG: Started auxiliary module Disguise
2020-06-23 05:58:29,390 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-23 05:58:29,390 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-23 05:58:29,390 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-23 05:58:29,390 [root] DEBUG: Started auxiliary module Human
2020-06-23 05:58:29,390 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-23 05:58:29,406 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-23 05:58:29,406 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-23 05:58:29,406 [root] DEBUG: Started auxiliary module Procmon
2020-06-23 05:58:29,406 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-23 05:58:29,406 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-23 05:58:29,406 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-23 05:58:29,421 [root] DEBUG: Started auxiliary module Screenshots
2020-06-23 05:58:29,421 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-23 05:58:29,421 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-23 05:58:29,421 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-23 05:58:29,437 [root] DEBUG: Started auxiliary module Sysmon
2020-06-23 05:58:29,437 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-23 05:58:29,437 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-23 05:58:29,437 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-23 05:58:29,437 [root] DEBUG: Started auxiliary module Usage
2020-06-23 05:58:29,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-23 05:58:29,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-23 05:58:29,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-23 05:58:29,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-23 05:58:29,468 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe" with arguments "" with pid 3452
2020-06-23 05:58:29,468 [lib.api.process] INFO: Monitor config for process 3452: C:\tmp558c2t_g\dll\3452.ini
2020-06-23 05:58:29,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 05:58:29,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:29,687 [root] DEBUG: Loader: Injecting process 3452 (thread 4800) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:29,687 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:58:29,687 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:29,703 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 05:58:29,703 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:29,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3452
2020-06-23 05:58:31,703 [lib.api.process] INFO: Successfully resumed process with pid 3452
2020-06-23 05:58:32,000 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:58:32,000 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:58:32,015 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-23 05:58:32,015 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3452 at 0x73010000, image base 0x400000, stack from 0x186000-0x190000
2020-06-23 05:58:32,015 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe".
2020-06-23 05:58:32,078 [root] INFO: Loaded monitor into process with pid 3452
2020-06-23 05:58:32,078 [root] INFO: Disabling sleep skipping.
2020-06-23 05:58:32,093 [root] INFO: Disabling sleep skipping.
2020-06-23 05:58:32,093 [root] INFO: Disabling sleep skipping.
2020-06-23 05:58:32,125 [root] DEBUG: set_caller_info: Adding region at 0x03600000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-23 05:58:32,171 [root] DEBUG: set_caller_info: Adding region at 0x01C70000 to caller regions list (kernel32::GetSystemTime).
2020-06-23 05:58:32,187 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1c70000
2020-06-23 05:58:32,187 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01C70000 size 0x400000.
2020-06-23 05:58:32,187 [root] DEBUG: DumpPEsInRange: Scanning range 0x1c70000 - 0x1c71000.
2020-06-23 05:58:32,203 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1c70000-0x1c71000.
2020-06-23 05:58:32,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\3452_180510202032581423262020 (size 0xffe)
2020-06-23 05:58:32,265 [root] DEBUG: DumpRegion: Dumped stack region from 0x01C70000, size 0x1000.
2020-06-23 05:58:32,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\3452_55291431932581423262020 (size 0x8020)
2020-06-23 05:58:32,531 [root] DEBUG: DumpRegion: Dumped stack region from 0x03600000, size 0x9000.
2020-06-23 05:58:32,562 [root] DEBUG: set_caller_info: Adding region at 0x03B80000 to caller regions list (ntdll::memcpy).
2020-06-23 05:58:32,609 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\3452_189093960032581423262020 (size 0x1a)
2020-06-23 05:58:32,609 [root] DEBUG: DumpRegion: Dumped stack region from 0x03B80000, size 0x1000.
2020-06-23 05:58:32,671 [root] INFO: Announced 32-bit process name: 1Qwq8MjgewbM0R.exe pid: 2508
2020-06-23 05:58:32,671 [lib.api.process] INFO: Monitor config for process 2508: C:\tmp558c2t_g\dll\2508.ini
2020-06-23 05:58:32,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 05:58:32,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:32,734 [root] DEBUG: Loader: Injecting process 2508 (thread 2396) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,734 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:58:32,734 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,734 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 05:58:32,750 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2508
2020-06-23 05:58:32,750 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-23 05:58:32,781 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-23 05:58:32,781 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe" .
2020-06-23 05:58:32,781 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2508, ImageBase: 0x00400000
2020-06-23 05:58:32,796 [root] INFO: Announced 32-bit process name: 1Qwq8MjgewbM0R.exe pid: 2508
2020-06-23 05:58:32,796 [lib.api.process] INFO: Monitor config for process 2508: C:\tmp558c2t_g\dll\2508.ini
2020-06-23 05:58:32,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 05:58:32,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:32,828 [root] DEBUG: Loader: Injecting process 2508 (thread 2396) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,828 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:58:32,828 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,828 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-23 05:58:32,828 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,843 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2508
2020-06-23 05:58:32,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x124 amd local view 0x03CF0000 to global list.
2020-06-23 05:58:32,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x124 to target process 2508.
2020-06-23 05:58:32,843 [root] INFO: Announced 32-bit process name: 1Qwq8MjgewbM0R.exe pid: 2508
2020-06-23 05:58:32,843 [lib.api.process] INFO: Monitor config for process 2508: C:\tmp558c2t_g\dll\2508.ini
2020-06-23 05:58:32,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 05:58:32,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:32,875 [root] DEBUG: Loader: Injecting process 2508 (thread 0) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,875 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-23 05:58:32,875 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2396, handle 0xc4
2020-06-23 05:58:32,875 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:58:32,875 [root] DEBUG: InjectDllViaIAT: Executable DOS header zero.
2020-06-23 05:58:32,875 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,890 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2508
2020-06-23 05:58:32,890 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000AE490 (process 2508).
2020-06-23 05:58:32,890 [root] INFO: Announced 32-bit process name: 1Qwq8MjgewbM0R.exe pid: 2508
2020-06-23 05:58:32,890 [lib.api.process] INFO: Monitor config for process 2508: C:\tmp558c2t_g\dll\2508.ini
2020-06-23 05:58:32,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 05:58:32,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:32,937 [root] DEBUG: Loader: Injecting process 2508 (thread 2396) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,937 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:58:32,937 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,937 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-23 05:58:32,937 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 05:58:32,937 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 05:58:32,953 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2508
2020-06-23 05:58:32,953 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-23 05:58:32,953 [root] DEBUG: DumpProcess: Module entry point VA is 0x000AE490.
2020-06-23 05:58:33,046 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x34200.
2020-06-23 05:58:33,046 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-06-23 05:58:33,046 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:58:33,046 [root] DEBUG: DumpSectionViewsForPid: Shared section view found with pid 2508, local address 0x03CF0000.
2020-06-23 05:58:33,046 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3cf0000
2020-06-23 05:58:33,046 [root] DEBUG: DumpSectionViewsForPid: Dumping PE image from shared section view, local address 0x03CF0000.
2020-06-23 05:58:33,062 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 05:58:33,062 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x03CF0000.
2020-06-23 05:58:33,062 [root] DEBUG: DumpProcess: Module entry point VA is 0x000AE490.
2020-06-23 05:58:33,062 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2020-06-23 05:58:33,078 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x34200.
2020-06-23 05:58:33,093 [root] DEBUG: DumpSectionViewsForPid: Dumped PE image from shared section view.
2020-06-23 05:58:33,093 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3cf0001-0x3da0000.
2020-06-23 05:58:33,093 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3452
2020-06-23 05:58:33,093 [root] DEBUG: GetHookCallerBase: thread 2936 (handle 0x0), return address 0x036036E2, allocation base 0x03600000.
2020-06-23 05:58:33,093 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-23 05:58:33,093 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 05:58:33,109 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-23 05:58:33,109 [root] DEBUG: DumpProcess: Module entry point VA is 0x0006282C.
2020-06-23 05:58:33,140 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:58:33,156 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:58:33,171 [root] INFO: Disabling sleep skipping.
2020-06-23 05:58:33,171 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-23 05:58:33,187 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2508 at 0x73010000, image base 0x400000, stack from 0x186000-0x190000
2020-06-23 05:58:33,187 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe".
2020-06-23 05:58:34,249 [root] INFO: Loaded monitor into process with pid 2508
2020-06-23 05:58:34,812 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xbca00.
2020-06-23 05:58:35,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x72EE0000 to global list.
2020-06-23 05:58:35,328 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x63ffff
2020-06-23 05:58:35,343 [root] DEBUG: DumpMemory: Nothing to dump at 0x00540000!
2020-06-23 05:58:35,343 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00540000 size 0x100000.
2020-06-23 05:58:35,343 [root] DEBUG: DumpPEsInRange: Scanning range 0x540000 - 0x5f7000.
2020-06-23 05:58:35,343 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x540000-0x5f7000.
2020-06-23 05:58:35,468 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\2508_146303925035581423262020 (size 0xb6ffe)
2020-06-23 05:58:35,484 [root] DEBUG: DumpRegion: Dumped stack region from 0x00540000, size 0xb7000.
2020-06-23 05:58:35,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 amd local view 0x732A0000 to global list.
2020-06-23 05:58:35,500 [root] DEBUG: DLL loaded at 0x732A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-23 05:58:35,500 [root] DEBUG: DLL unloaded from 0x75E80000.
2020-06-23 05:58:35,515 [root] DEBUG: DLL loaded at 0x72600000: C:\Windows\system32\sxs (0x5f000 bytes).
2020-06-23 05:58:36,000 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-23 05:58:36,281 [root] DEBUG: DLL loaded at 0x750D0000: C:\Windows\syswow64\SHELL32 (0xc4c000 bytes).
2020-06-23 05:58:36,656 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-06-23 05:58:36,656 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-23 05:58:36,671 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-23 05:58:36,718 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 amd local view 0x70B40000 to global list.
2020-06-23 05:58:36,734 [root] DEBUG: DLL loaded at 0x70B40000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\Gdiplus (0x192000 bytes).
2020-06-23 05:58:37,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72E50000 for section view with handle 0x108.
2020-06-23 05:58:37,171 [root] DEBUG: DLL loaded at 0x72E50000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes).
2020-06-23 05:58:37,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x72FE0000 to global list.
2020-06-23 05:58:37,468 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec (0x13000 bytes).
2020-06-23 05:58:37,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76740000 for section view with handle 0x110.
2020-06-23 05:58:37,484 [root] DEBUG: DLL loaded at 0x76740000: C:\Windows\syswow64\WINTRUST (0x2f000 bytes).
2020-06-23 05:58:37,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76770000 for section view with handle 0x110.
2020-06-23 05:58:37,546 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-23 05:58:37,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x762F0000 for section view with handle 0x110.
2020-06-23 05:58:37,562 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-23 05:58:37,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x118 amd local view 0x72DC0000 to global list.
2020-06-23 05:58:37,609 [root] DEBUG: DLL loaded at 0x72DC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\COMCTL32 (0x84000 bytes).
2020-06-23 05:58:37,625 [root] DEBUG: DLL loaded at 0x70AC0000: C:\Windows\system32\RichEd20 (0x76000 bytes).
2020-06-23 05:58:37,640 [root] DEBUG: DLL unloaded from 0x70AC0000.
2020-06-23 05:58:37,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 amd local view 0x03F50000 to global list.
2020-06-23 05:58:37,703 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-23 05:58:37,703 [root] DEBUG: DLL unloaded from 0x70CE0000.
2020-06-23 05:58:38,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x12c amd local view 0x70A40000 to global list.
2020-06-23 05:58:38,234 [root] DEBUG: DLL loaded at 0x70A40000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks (0xf8000 bytes).
2020-06-23 05:58:38,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72FD0000 for section view with handle 0x12c.
2020-06-23 05:58:38,515 [root] DEBUG: DLL loaded at 0x72FD0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture (0x8000 bytes).
2020-06-23 05:58:38,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72D60000 for section view with handle 0x130.
2020-06-23 05:58:38,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x140 amd local view 0x03620000 to global list.
2020-06-23 05:58:38,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x148 amd local view 0x03640000 to global list.
2020-06-23 05:58:38,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:58:38,937 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-23 05:58:38,953 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:58:39,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x6FEE0000 to global list.
2020-06-23 05:58:39,015 [root] DEBUG: DLL loaded at 0x6FEE0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-23 05:58:39,093 [root] DEBUG: set_caller_info: Adding region at 0x03680000 to caller regions list (kernel32::SetErrorMode).
2020-06-23 05:58:39,093 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-23 05:58:39,109 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x36bffff
2020-06-23 05:58:39,109 [root] DEBUG: DumpMemory: Nothing to dump at 0x03680000!
2020-06-23 05:58:39,109 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x03680000 size 0x40000.
2020-06-23 05:58:39,109 [root] DEBUG: DumpPEsInRange: Scanning range 0x3680000 - 0x3681000.
2020-06-23 05:58:39,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3680000-0x3681000.
2020-06-23 05:58:39,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x03C60000 to global list.
2020-06-23 05:58:40,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06280000 for section view with handle 0x20c.
2020-06-23 05:58:40,406 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-23 05:58:40,421 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-23 05:58:42,390 [root] DEBUG: set_caller_info: Adding region at 0x064A0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-23 05:58:42,453 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x64affff
2020-06-23 05:58:42,453 [root] DEBUG: DumpMemory: Nothing to dump at 0x064A0000!
2020-06-23 05:58:42,468 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x064A0000 size 0x10000.
2020-06-23 05:58:42,468 [root] DEBUG: DumpPEsInRange: Scanning range 0x64a0000 - 0x64af000.
2020-06-23 05:58:42,468 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x64a0000-0x64af000.
2020-06-23 05:58:42,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\2508_208662927642581423262020 (size 0xe491)
2020-06-23 05:58:42,578 [root] DEBUG: DumpRegion: Dumped stack region from 0x064A0000, size 0xf000.
2020-06-23 05:58:42,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x6F260000 to global list.
2020-06-23 05:58:42,703 [root] DEBUG: DLL loaded at 0x6F260000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-23 05:58:42,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x6FD50000 to global list.
2020-06-23 05:58:42,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E680000 for section view with handle 0x214.
2020-06-23 05:58:42,781 [root] DEBUG: DLL loaded at 0x6E680000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-23 05:58:43,406 [root] DEBUG: set_caller_info: Adding region at 0x03670000 to caller regions list (ntdll::memcpy).
2020-06-23 05:58:43,421 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x03670000.
2020-06-23 05:58:43,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x062A0000 for section view with handle 0x214.
2020-06-23 05:58:43,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 amd local view 0x062B0000 to global list.
2020-06-23 05:58:43,515 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-23 05:58:44,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x6E4E0000 to global list.
2020-06-23 05:58:44,125 [root] DEBUG: DLL loaded at 0x6E4E0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-23 05:58:44,312 [root] DEBUG: set_caller_info: Adding region at 0x06440000 to caller regions list (kernel32::SetErrorMode).
2020-06-23 05:58:44,312 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x644ffff
2020-06-23 05:58:44,328 [root] DEBUG: DumpMemory: Nothing to dump at 0x06440000!
2020-06-23 05:58:44,328 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06440000 size 0x10000.
2020-06-23 05:58:44,328 [root] DEBUG: DumpPEsInRange: Scanning range 0x6440000 - 0x6441000.
2020-06-23 05:58:44,328 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6440000-0x6441000.
2020-06-23 05:58:44,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\2508_51670410444581423262020 (size 0x25b)
2020-06-23 05:58:44,406 [root] DEBUG: DumpRegion: Dumped stack region from 0x06440000, size 0x1000.
2020-06-23 05:58:44,437 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-23 05:58:44,453 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-23 05:58:44,453 [root] DEBUG: DLL loaded at 0x75DE0000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-23 05:58:44,484 [root] DEBUG: DLL loaded at 0x72F90000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-23 05:58:44,562 [root] DEBUG: DLL loaded at 0x6FCF0000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-23 05:58:44,593 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-23 05:58:44,640 [root] INFO: Stopping WMI Service
2020-06-23 05:58:52,484 [root] INFO: Stopped WMI Service
2020-06-23 05:58:52,906 [lib.api.process] INFO: Monitor config for process 588: C:\tmp558c2t_g\dll\588.ini
2020-06-23 05:58:52,937 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ncSdYG.dll, loader C:\tmp558c2t_g\bin\KLLlpQtB.exe
2020-06-23 05:58:52,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:52,968 [root] DEBUG: Loader: Injecting process 588 (thread 0) with C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:58:52,984 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDF000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD6000: The operation completed successfully.
2020-06-23 05:58:52,984 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-23 05:58:52,984 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-23 05:58:53,015 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:58:53,015 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:58:53,015 [root] INFO: Disabling sleep skipping.
2020-06-23 05:58:53,015 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 588 at 0x000000006E3E0000, image base 0x00000000FF500000, stack from 0x0000000001786000-0x0000000001790000
2020-06-23 05:58:53,031 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-06-23 05:58:53,093 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 05:58:53,125 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 05:58:53,140 [root] INFO: Loaded monitor into process with pid 588
2020-06-23 05:58:53,156 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 05:58:53,156 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 05:58:53,156 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:58:55,171 [root] INFO: Starting WMI Service
2020-06-23 05:58:55,312 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3616, handle 0x5fc.
2020-06-23 05:58:57,328 [root] INFO: Started WMI Service
2020-06-23 05:58:57,343 [lib.api.process] INFO: Monitor config for process 3616: C:\tmp558c2t_g\dll\3616.ini
2020-06-23 05:58:57,343 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ncSdYG.dll, loader C:\tmp558c2t_g\bin\KLLlpQtB.exe
2020-06-23 05:58:57,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:58:57,375 [root] DEBUG: Loader: Injecting process 3616 (thread 0) with C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:58:57,375 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD6000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFDC000: The operation completed successfully.
2020-06-23 05:58:57,375 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3140, handle 0xa8
2020-06-23 05:58:57,375 [root] DEBUG: Process image base: 0x00000000FF500000
2020-06-23 05:58:57,375 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-23 05:58:57,375 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-23 05:58:57,390 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:58:57,390 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:58:57,406 [root] INFO: Disabling sleep skipping.
2020-06-23 05:58:57,406 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3616 at 0x000000006E3E0000, image base 0x00000000FF500000, stack from 0x0000000001486000-0x0000000001490000
2020-06-23 05:58:57,406 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-23 05:58:57,468 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 05:58:57,468 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 05:58:57,484 [root] INFO: Loaded monitor into process with pid 3616
2020-06-23 05:58:57,484 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 05:58:57,484 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 05:58:57,484 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:58:59,515 [root] DEBUG: DLL loaded at 0x72F80000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-23 05:58:59,531 [root] DEBUG: DLL loaded at 0x6E370000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-23 05:58:59,609 [root] DEBUG: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-23 05:58:59,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2e0 amd local view 0x06A80000 to global list.
2020-06-23 05:58:59,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2e4 amd local view 0x6E260000 to global list.
2020-06-23 05:58:59,859 [root] DEBUG: DLL loaded at 0x6E260000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni (0x106000 bytes).
2020-06-23 05:58:59,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:58:59,984 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:59:00,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x334 amd local view 0x6FCB0000 to global list.
2020-06-23 05:59:00,125 [root] DEBUG: DLL loaded at 0x6FCB0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils (0x1e000 bytes).
2020-06-23 05:59:00,171 [root] DEBUG: set_caller_info: Adding region at 0x06C10000 to caller regions list (ole32::CoCreateInstance).
2020-06-23 05:59:00,171 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6c1ffff
2020-06-23 05:59:00,187 [root] DEBUG: DumpMemory: Nothing to dump at 0x06C10000!
2020-06-23 05:59:00,187 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06C10000 size 0x10000.
2020-06-23 05:59:00,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x6c10000 - 0x6c13000.
2020-06-23 05:59:00,203 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6c10000-0x6c13000.
2020-06-23 05:59:00,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\2508_910714175011523262020 (size 0x2164)
2020-06-23 05:59:00,312 [root] DEBUG: DumpRegion: Dumped stack region from 0x06C10000, size 0x3000.
2020-06-23 05:59:00,484 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:59:00,578 [root] DEBUG: set_caller_info: Adding region at 0x06C20000 to caller regions list (ntdll::memcpy).
2020-06-23 05:59:00,578 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6c2ffff
2020-06-23 05:59:00,578 [root] DEBUG: DumpMemory: Nothing to dump at 0x06C20000!
2020-06-23 05:59:00,578 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06C20000 size 0x10000.
2020-06-23 05:59:00,578 [root] DEBUG: DumpPEsInRange: Scanning range 0x6c20000 - 0x6c21000.
2020-06-23 05:59:00,593 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6c20000-0x6c21000.
2020-06-23 05:59:00,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\2508_16941391882041523262020 (size 0x1a0)
2020-06-23 05:59:00,640 [root] DEBUG: DumpRegion: Dumped stack region from 0x06C20000, size 0x1000.
2020-06-23 05:59:04,187 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1172, handle 0x5fc.
2020-06-23 05:59:06,640 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:59:18,906 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe
2020-06-23 05:59:20,718 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:59:20,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3b0 amd local view 0x06C80000 to global list.
2020-06-23 05:59:20,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3ac amd local view 0x06C80000 to global list.
2020-06-23 05:59:25,375 [root] DEBUG: DLL loaded at 0x000007FEF6790000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-06-23 05:59:25,421 [root] DEBUG: DLL loaded at 0x000007FEFAD80000: C:\Windows\system32\ATL (0x19000 bytes).
2020-06-23 05:59:25,468 [root] DEBUG: DLL loaded at 0x000007FEFA440000: C:\Windows\system32\samcli (0x14000 bytes).
2020-06-23 05:59:25,515 [root] DEBUG: DLL loaded at 0x000007FEFB520000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-06-23 05:59:25,562 [root] DEBUG: DLL loaded at 0x000007FEFAF90000: C:\Windows\system32\netutils (0xc000 bytes).
2020-06-23 05:59:25,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc amd local view 0x0000000002940000 to global list.
2020-06-23 05:59:25,609 [root] DEBUG: DLL unloaded from 0x000007FEF6700000.
2020-06-23 05:59:30,750 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 05:59:36,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3b4 amd local view 0x6E1A0000 to global list.
2020-06-23 05:59:36,421 [root] DEBUG: DLL loaded at 0x6E1A0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\51fb28e8a54a8d8f6021415d47477ab4\System.Security.ni (0xb3000 bytes).
2020-06-23 05:59:36,468 [root] DEBUG: set_caller_info: Adding region at 0x074C0000 to caller regions list (kernel32::SetErrorMode).
2020-06-23 05:59:36,515 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x74cffff
2020-06-23 05:59:36,562 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\2508_14694094812691523262020 (size 0x443f)
2020-06-23 05:59:36,562 [root] DEBUG: DumpRegion: Dumped stack region from 0x074C0000, size 0x5000.
2020-06-23 05:59:36,765 [root] DEBUG: DLL loaded at 0x72D50000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-23 05:59:36,781 [root] DEBUG: DLL unloaded from 0x764D0000.
2020-06-23 05:59:37,796 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-23 05:59:37,796 [lib.api.process] INFO: Monitor config for process 472: C:\tmp558c2t_g\dll\472.ini
2020-06-23 05:59:37,843 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ncSdYG.dll, loader C:\tmp558c2t_g\bin\KLLlpQtB.exe
2020-06-23 05:59:37,937 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:59:37,937 [root] DEBUG: Loader: Injecting process 472 (thread 0) with C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:37,984 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDF000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFDA000: The operation completed successfully.
2020-06-23 05:59:37,984 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-23 05:59:38,046 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-23 05:59:38,078 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:59:38,109 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:59:38,156 [root] INFO: Disabling sleep skipping.
2020-06-23 05:59:38,156 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 472 at 0x000000006E3E0000, image base 0x00000000FFF50000, stack from 0x0000000000FE6000-0x0000000000FF0000
2020-06-23 05:59:38,156 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-06-23 05:59:38,187 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 05:59:38,234 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 05:59:38,234 [root] INFO: Loaded monitor into process with pid 472
2020-06-23 05:59:38,281 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 05:59:38,281 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 05:59:38,328 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:38,687 [root] DEBUG: DLL unloaded from 0x000007FEFE9A0000.
2020-06-23 05:59:38,953 [root] INFO: Announced starting service "b'gupdate'"
2020-06-23 05:59:38,953 [lib.api.process] INFO: Monitor config for process 472: C:\tmp558c2t_g\dll\472.ini
2020-06-23 05:59:38,968 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ncSdYG.dll, loader C:\tmp558c2t_g\bin\KLLlpQtB.exe
2020-06-23 05:59:39,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:59:39,062 [root] DEBUG: Loader: Injecting process 472 (thread 0) with C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:39,062 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDF000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD5000: The operation completed successfully.
2020-06-23 05:59:39,062 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-23 05:59:39,062 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-23 05:59:39,062 [root] DEBUG: set_caller_info: Adding region at 0x0000000000300000 to caller regions list (ntdll::LdrLoadDll).
2020-06-23 05:59:39,187 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LDUomCgWz\CAPE\472_200705053239591123262020 (size 0x135)
2020-06-23 05:59:39,187 [root] DEBUG: DumpRegion: Dumped stack region from 0x0000000000300000, size 0x1000.
2020-06-23 05:59:39,187 [root] DEBUG: DLL loaded at 0x0000000001630000: C:\tmp558c2t_g\dll\ncSdYG (0xfc000 bytes).
2020-06-23 05:59:39,203 [root] DEBUG: DLL unloaded from 0x000007FEF8BA0000.
2020-06-23 05:59:39,203 [root] DEBUG: DLL unloaded from 0x0000000076EB0000.
2020-06-23 05:59:39,203 [root] DEBUG: DLL unloaded from 0x000007FEF8BA0000.
2020-06-23 05:59:39,203 [root] DEBUG: DLL unloaded from 0x0000000076EB0000.
2020-06-23 05:59:39,203 [root] DEBUG: DLL unloaded from 0x0000000001630000.
2020-06-23 05:59:39,249 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-06-23 05:59:39,249 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-06-23 05:59:39,296 [root] DEBUG: Failed to inject DLL C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:39,343 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 472, error: 4294967288
2020-06-23 05:59:39,390 [root] INFO: Announced 64-bit process name: lsass.exe pid: 1240
2020-06-23 05:59:39,390 [lib.api.process] INFO: Monitor config for process 1240: C:\tmp558c2t_g\dll\1240.ini
2020-06-23 05:59:39,421 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ncSdYG.dll, loader C:\tmp558c2t_g\bin\KLLlpQtB.exe
2020-06-23 05:59:39,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 05:59:39,437 [root] DEBUG: Loader: Injecting process 1240 (thread 4332) with C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:39,453 [root] DEBUG: Process image base: 0x00000000FFDB0000
2020-06-23 05:59:39,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:39,453 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-23 05:59:39,453 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-23 05:59:39,468 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:59:39,484 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:59:39,484 [root] INFO: Disabling sleep skipping.
2020-06-23 05:59:39,484 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 1240 at 0x000000006E3E0000, image base 0x00000000FFDB0000, stack from 0x0000000000334000-0x0000000000340000
2020-06-23 05:59:39,484 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2020-06-23 05:59:39,531 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 05:59:39,531 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 05:59:39,546 [root] INFO: Loaded monitor into process with pid 1240
2020-06-23 05:59:39,562 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 05:59:39,562 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 05:59:39,593 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 05:59:39,593 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-23 05:59:39,593 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1240, ImageBase: 0x00000000FFDB0000
2020-06-23 05:59:39,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1240.
2020-06-23 05:59:55,359 [root] DEBUG: DLL unloaded from 0x000007FEFD2B0000.
2020-06-23 06:00:09,609 [root] INFO: Process with pid 1240 has terminated
2020-06-23 06:00:09,812 [root] INFO: Announced 32-bit process name: GoogleUpdate.exe pid: 2408
2020-06-23 06:00:09,812 [lib.api.process] INFO: Monitor config for process 2408: C:\tmp558c2t_g\dll\2408.ini
2020-06-23 06:00:09,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 06:00:09,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 06:00:09,968 [root] DEBUG: Loader: Injecting process 2408 (thread 4304) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 06:00:10,000 [root] DEBUG: Process image base: 0x00FD0000
2020-06-23 06:00:10,000 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 06:00:10,093 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 06:00:10,093 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 06:00:10,187 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2408
2020-06-23 06:00:10,296 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc.
2020-06-23 06:00:10,296 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2408, ImageBase: 0x0000000000FD0000
2020-06-23 06:00:10,390 [root] INFO: Announced 32-bit process name: GoogleUpdate.exe pid: 2408
2020-06-23 06:00:10,390 [lib.api.process] INFO: Monitor config for process 2408: C:\tmp558c2t_g\dll\2408.ini
2020-06-23 06:00:10,390 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\rFPYYTZ.dll, loader C:\tmp558c2t_g\bin\ALYdCVF.exe
2020-06-23 06:00:10,406 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 06:00:10,406 [root] DEBUG: Loader: Injecting process 2408 (thread 4304) with C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 06:00:10,406 [root] DEBUG: Process image base: 0x00FD0000
2020-06-23 06:00:10,406 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 06:00:10,421 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-23 06:00:10,437 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\rFPYYTZ.dll.
2020-06-23 06:00:10,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2408
2020-06-23 06:00:10,453 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2408.
2020-06-23 06:00:10,500 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 06:00:10,562 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 06:00:10,656 [root] INFO: Disabling sleep skipping.
2020-06-23 06:00:10,656 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-23 06:00:10,750 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2408 at 0x73010000, image base 0xfd0000, stack from 0x336000-0x340000
2020-06-23 06:00:10,843 [root] INFO: Loaded monitor into process with pid 2408
2020-06-23 06:00:10,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x73AF0000 to global list.
2020-06-23 06:00:11,000 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-23 06:00:11,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x762F0000 for section view with handle 0xec.
2020-06-23 06:00:11,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3c4 amd local view 0x6DC60000 to global list.
2020-06-23 06:00:11,234 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-23 06:00:11,234 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2020-06-23 06:00:11,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x742C0000 for section view with handle 0x128.
2020-06-23 06:00:11,328 [root] DEBUG: set_caller_info: Adding region at 0x06450000 to caller regions list (kernel32::SetErrorMode).
2020-06-23 06:00:11,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x150 amd local view 0x026D0000 to global list.
2020-06-23 06:00:11,562 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-23 06:00:11,656 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "netsh" wlan show profile.
2020-06-23 06:00:11,718 [root] DEBUG: DLL loaded at 0x733E0000: C:\Windows\system32\dbghelp (0xeb000 bytes).
2020-06-23 06:00:11,796 [root] DEBUG: DLL unloaded from 0x733E0000.
2020-06-23 06:00:11,796 [root] DEBUG: DLL unloaded from 0x764D0000.
2020-06-23 06:00:11,937 [root] DEBUG: DLL loaded at 0x733E0000: C:\Windows\system32\dbghelp (0xeb000 bytes).
2020-06-23 06:00:11,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x194 amd local view 0x001A0000 to global list.
2020-06-23 06:00:11,953 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 2408).
2020-06-23 06:00:12,125 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 2408).
2020-06-23 06:00:12,171 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2408, handle 0x5ec.
2020-06-23 06:00:12,265 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-23 06:00:12,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c amd local view 0x6D8D0000 to global list.
2020-06-23 06:00:12,390 [root] DEBUG: DLL loaded at 0x6D8D0000: C:\Program Files (x86)\Google\Update\1.3.35.451\psmachine (0x42000 bytes).
2020-06-23 06:00:13,390 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1172, handle 0x244.
2020-06-23 06:00:13,390 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-23 06:00:13,984 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-23 06:00:14,015 [root] DEBUG: DLL unloaded from 0x00FD0000.
2020-06-23 06:00:14,031 [root] DEBUG: DLL loaded at 0x6D4B0000: C:\Windows\System32\msxml3 (0x134000 bytes).
2020-06-23 06:00:14,031 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\System32\bcrypt (0x17000 bytes).
2020-06-23 06:00:14,046 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-23 06:00:14,062 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x298 amd local view 0x6D450000 to global list.
2020-06-23 06:00:14,062 [root] DEBUG: DLL loaded at 0x6D450000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-23 06:00:14,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D3F0000 for section view with handle 0x298.
2020-06-23 06:00:14,062 [root] DEBUG: DLL loaded at 0x6D3F0000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-23 06:00:14,078 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-23 06:00:14,078 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-23 06:00:14,093 [root] DEBUG: DLL loaded at 0x6D3E0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-23 06:00:14,093 [root] DEBUG: DLL unloaded from 0x74360000.
2020-06-23 06:00:14,093 [root] DEBUG: DLL loaded at 0x6D7E0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-23 06:00:14,093 [root] DEBUG: DLL loaded at 0x6D7F0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-23 06:00:14,109 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-23 06:00:14,109 [root] DEBUG: DLL loaded at 0x750A0000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-23 06:00:14,125 [root] DEBUG: DLL loaded at 0x743D0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-23 06:00:14,140 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-23 06:00:14,218 [root] DEBUG: DLL loaded at 0x6D3B0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-23 06:00:14,218 [root] DEBUG: DLL unloaded from 0x6D450000.
2020-06-23 06:00:14,390 [root] DEBUG: DLL loaded at 0x6D350000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-23 06:00:14,437 [root] DEBUG: DLL loaded at 0x6D310000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-06-23 06:00:14,531 [root] DEBUG: DLL loaded at 0x6D300000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-06-23 06:00:14,531 [root] DEBUG: DLL loaded at 0x6D2E0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-06-23 06:00:14,609 [root] DEBUG: DLL loaded at 0x6D2D0000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-06-23 06:00:14,656 [root] DEBUG: DLL loaded at 0x6D2C0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-23 06:00:14,781 [root] DEBUG: DLL loaded at 0x6DB10000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-23 06:00:15,531 [root] DEBUG: DLL loaded at 0x6CFB0000: C:\Windows\SysWOW64\schannel (0x41000 bytes).
2020-06-23 06:00:16,234 [root] DEBUG: DLL loaded at 0x6CF80000: C:\Windows\system32\secur32 (0x8000 bytes).
2020-06-23 06:00:16,249 [root] DEBUG: DLL loaded at 0x6CEF0000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-06-23 06:00:16,328 [root] DEBUG: DLL loaded at 0x6CEB0000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2020-06-23 06:00:16,421 [root] DEBUG: DLL loaded at 0x6CE90000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-06-23 06:00:17,296 [root] DEBUG: DLL loaded at 0x73270000: C:\Windows\system32\WINSTA (0x29000 bytes).
2020-06-23 06:00:18,312 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-23 06:00:18,343 [root] DEBUG: DLL unloaded from 0x00FD0000.
2020-06-23 06:00:18,359 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-23 06:00:18,375 [root] DEBUG: DLL unloaded from 0x00FD0000.
2020-06-23 06:00:18,406 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2408, handle 0x3f4.
2020-06-23 06:00:18,421 [root] INFO: Stopping BITS Service
2020-06-23 06:00:25,390 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4020, handle 0x5ec.
2020-06-23 06:00:26,625 [root] INFO: Stopped BITS Service
2020-06-23 06:00:34,953 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-23 06:00:43,562 [root] DEBUG: DLL unloaded from 0x72FD0000.
2020-06-23 06:00:44,265 [root] DEBUG: DLL loaded at 0x6DC30000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2020-06-23 06:00:44,984 [root] INFO: Starting BITS Service
2020-06-23 06:00:49,437 [root] DEBUG: DLL loaded at 0x6DC10000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2020-06-23 06:00:49,531 [root] DEBUG: DLL loaded at 0x6DBE0000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2020-06-23 06:00:55,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f4 amd local view 0x06460000 to global list.
2020-06-23 06:00:55,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2508.
2020-06-23 06:01:03,718 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1084
2020-06-23 06:01:03,734 [lib.api.process] INFO: Monitor config for process 1084: C:\tmp558c2t_g\dll\1084.ini
2020-06-23 06:01:03,921 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ncSdYG.dll, loader C:\tmp558c2t_g\bin\KLLlpQtB.exe
2020-06-23 06:01:09,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DCgsNnr.
2020-06-23 06:01:09,609 [root] DEBUG: Loader: Injecting process 1084 (thread 4120) with C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 06:01:13,578 [root] DEBUG: Process image base: 0x00000000FF500000
2020-06-23 06:01:13,625 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 06:01:13,734 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-23 06:01:13,875 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-23 06:01:19,531 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 06:01:19,640 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 06:01:25,468 [root] INFO: Disabling sleep skipping.
2020-06-23 06:01:25,546 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 1084 at 0x000000006E3E0000, image base 0x00000000FF500000, stack from 0x0000000000316000-0x0000000000320000
2020-06-23 06:01:25,609 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-23 06:01:32,531 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 06:01:32,562 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 06:01:37,437 [root] INFO: Loaded monitor into process with pid 1084
2020-06-23 06:01:37,640 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 06:01:43,468 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 06:01:43,640 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ncSdYG.dll.
2020-06-23 06:01:52,546 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-23 06:01:52,546 [lib.api.process] ERROR: Failed to open terminate event for pid 3452
2020-06-23 06:01:52,546 [root] INFO: Terminate event set for process 3452.
2020-06-23 06:01:52,546 [lib.api.process] INFO: Terminate event set for process 2508
2020-06-23 06:01:57,453 [root] DEBUG: Terminate Event: Attempting to dump process 2508
2020-06-23 06:01:57,468 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-23 06:01:57,546 [lib.api.process] INFO: Termination confirmed for process 2508
2020-06-23 06:01:57,546 [root] INFO: Terminate event set for process 2508.
2020-06-23 06:01:57,546 [lib.api.process] INFO: Terminate event set for process 588
2020-06-23 06:02:02,546 [lib.api.process] INFO: Termination confirmed for process 588
2020-06-23 06:02:02,546 [root] INFO: Terminate event set for process 588.
2020-06-23 06:02:02,546 [lib.api.process] INFO: Terminate event set for process 3616
2020-06-23 06:02:03,453 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 06:02:03,562 [root] DEBUG: Terminate Event: Attempting to dump process 588
2020-06-23 06:02:07,546 [lib.api.process] INFO: Termination confirmed for process 3616
2020-06-23 06:02:07,546 [root] INFO: Terminate event set for process 3616.
2020-06-23 06:02:07,546 [lib.api.process] INFO: Terminate event set for process 472
2020-06-23 06:02:08,484 [root] DEBUG: Terminate Event: Attempting to dump process 3616
2020-06-23 06:02:08,531 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-23 06:02:08,609 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-23 06:02:08,671 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-23 06:02:12,546 [lib.api.process] INFO: Termination confirmed for process 472
2020-06-23 06:02:12,546 [root] INFO: Terminate event set for process 472.
2020-06-23 06:02:12,546 [lib.api.process] INFO: Terminate event set for process 2408
2020-06-23 06:02:13,437 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-06-23 06:02:13,546 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 06:02:15,562 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 06:02:17,546 [lib.api.process] INFO: Termination confirmed for process 2408
2020-06-23 06:02:17,546 [root] INFO: Terminate event set for process 2408.
2020-06-23 06:02:17,546 [lib.api.process] INFO: Terminate event set for process 1084
2020-06-23 06:02:21,437 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-23 06:02:21,578 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-23 06:02:21,656 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x4bc00.
2020-06-23 06:02:21,734 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-23 06:02:21,750 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-23 06:02:21,937 [root] DEBUG: Terminate Event: Shutdown complete for process 2508 but failed to inform analyzer.
2020-06-23 06:02:22,078 [root] DEBUG: Terminate Event: Attempting to dump process 1084
2020-06-23 06:02:22,328 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-23 06:02:22,328 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-23 06:02:22,421 [root] DEBUG: Terminate Event: Shutdown complete for process 588 but failed to inform analyzer.
2020-06-23 06:02:22,421 [root] DEBUG: Terminate Event: Shutdown complete for process 3616 but failed to inform analyzer.
2020-06-23 06:02:22,546 [lib.api.process] INFO: Termination confirmed for process 1084
2020-06-23 06:02:22,546 [root] INFO: Terminate event set for process 1084.
2020-06-23 06:02:22,546 [root] INFO: Created shutdown mutex.
2020-06-23 06:02:22,625 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-23 06:02:22,656 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 06:02:22,734 [root] DEBUG: Terminate Event: Attempting to dump process 472
2020-06-23 06:02:22,812 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-23 06:02:22,921 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-23 06:02:22,937 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-23 06:02:23,437 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFF50000.
2020-06-23 06:02:23,453 [root] DEBUG: DLL loaded at 0x000007FEFCD60000: C:\Windows\System32\cryptbase (0xf000 bytes).
2020-06-23 06:02:23,546 [root] INFO: Shutting down package.
2020-06-23 06:02:23,546 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 06:02:23,546 [root] INFO: Stopping auxiliary modules.
2020-06-23 06:02:23,609 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1084, ImageBase: 0x00000000FF500000
2020-06-23 06:02:23,609 [root] DEBUG: Terminate Event: Attempting to dump process 2408
2020-06-23 06:02:23,640 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFF50000.
2020-06-23 06:02:23,656 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000001331C.
2020-06-23 06:02:23,859 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-23 06:02:24,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1084.
2020-06-23 06:02:24,093 [root] DEBUG: Terminate Event: Shutdown complete for process 1084 but failed to inform analyzer.
2020-06-23 06:02:24,171 [lib.common.results] WARNING: File C:\LDUomCgWz\bin\procmon.xml doesn't exist anymore
2020-06-23 06:02:24,171 [root] INFO: Finishing auxiliary modules.
2020-06-23 06:02:24,171 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-23 06:02:24,218 [root] WARNING: Folder at path "C:\LDUomCgWz\debugger" does not exist, skip.
2020-06-23 06:02:24,249 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-06-23 05:58:26 2020-06-23 06:04:53

File Details

File Name 1Qwq8MjgewbM0R
File Size 769536 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 1992-06-19 22:22:17
MD5 7a06d76237aec0c1b8cc4bc643e3d627
SHA1 f792d22db97911044d9315627557e03fdc6df47f
SHA256 e888883e6993ab7df3edd30eba22f6282c33324a21ffbed661c6478393e2296e
SHA512 ce53d9b6a5c36a08fb7830f218ce30a88e7ce37f2faaf07746a09f82dcd6e33297994b138c2b59f19a4109687eeecb0e499c72c4ff99a876a8a9e5e46b592ace
CRC32 2C61AE76
Ssdeep 12288:CDRuXrEbb00e9ElcwOixtthKGc7WR5Sc7YpDqIjqbAPvhaXGV8IGJe/XYn/7rfTd:sYbQhe9RKthmg5ANNvha6G4fYTrfTZn/
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (1 unique times)
IP: 172.217.16.163:443
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2508 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 3452 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2508 trigged the Yara rule 'embedded_pe'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: 1Qwq8MjgewbM0R.exe, PID 3452
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: 1Qwq8MjgewbM0R.exe tried to sleep 865.474 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExA
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/AnimateWindow
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/FlushInstructionCache
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: ntdll.dll/ZwCreateSection
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorImageUnloading
DynamicLoader: mscoree.dll/_CorValidateImage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: mscoree.dll/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetModuleHandle
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: kernel32.dll/LoadLibrary
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: kernel32.dll/ZeroMemory
DynamicLoader: kernel32.dll/ZeroMemoryA
DynamicLoader: kernel32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: kernel32.dll/CreateDirectory
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/CopyFile
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueEx
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: kernel32.dll/DeleteFile
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindNextFile
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/ZeroMemory
DynamicLoader: kernel32.dll/ZeroMemoryA
DynamicLoader: kernel32.dll/RtlZeroMemory
DynamicLoader: CRYPT32.dll/CryptUnprotectData
DynamicLoader: CRYPT32.dll/CryptUnprotectDataW
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreatePipe
DynamicLoader: kernel32.dll/CreatePipeW
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: kernel32.dll/CreateProcess
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/GetConsoleOutputCP
DynamicLoader: kernel32.dll/GetConsoleOutputCPW
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: Culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: sxs.dll/SxsLookupClrGuid
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: sxs.dll/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: sxs.dll/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/SetClipboardViewerW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleGetClipboard
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/SetWindowsHookEx
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/InitOnceExecuteOnce
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleEx
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: kernel32.dll/GetSystemTimePreciseAsFileTime
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/TryAcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/SleepConditionVariableSRW
DynamicLoader: kernel32.dll/CreateThreadpoolWork
DynamicLoader: kernel32.dll/SubmitThreadpoolWork
DynamicLoader: kernel32.dll/CloseThreadpoolWork
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: goopdate.dll/DllEntry
DynamicLoader: kernel32.dll/RtlCaptureStackBackTrace
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: kernel32.dll/CreateMutexExW
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: dbghelp.dll/MiniDumpWriteDump
DynamicLoader: RPCRT4.dll/UuidCreate
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: dbghelp.dll/MiniDumpWriteDump
DynamicLoader: RPCRT4.dll/UuidCreate
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/InitOnceExecuteOnce
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleEx
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: kernel32.dll/GetSystemTimePreciseAsFileTime
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/TryAcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/SleepConditionVariableSRW
DynamicLoader: kernel32.dll/CreateThreadpoolWork
DynamicLoader: kernel32.dll/SubmitThreadpoolWork
DynamicLoader: kernel32.dll/CloseThreadpoolWork
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: psmachine.dll/DllGetClassObject
DynamicLoader: psmachine.dll/DllCanUnloadNow
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: winhttp.DLL/WinHttpAddRequestHeaders
DynamicLoader: winhttp.DLL/WinHttpCheckPlatform
DynamicLoader: winhttp.DLL/WinHttpCloseHandle
DynamicLoader: winhttp.DLL/WinHttpConnect
DynamicLoader: winhttp.DLL/WinHttpCrackUrl
DynamicLoader: winhttp.DLL/WinHttpCreateUrl
DynamicLoader: winhttp.DLL/WinHttpDetectAutoProxyConfigUrl
DynamicLoader: winhttp.DLL/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: winhttp.DLL/WinHttpGetDefaultProxyConfiguration
DynamicLoader: winhttp.DLL/WinHttpGetProxyForUrl
DynamicLoader: winhttp.DLL/WinHttpOpen
DynamicLoader: winhttp.DLL/WinHttpOpenRequest
DynamicLoader: winhttp.DLL/WinHttpQueryAuthSchemes
DynamicLoader: winhttp.DLL/WinHttpQueryDataAvailable
DynamicLoader: winhttp.DLL/WinHttpQueryHeaders
DynamicLoader: winhttp.DLL/WinHttpQueryOption
DynamicLoader: winhttp.DLL/WinHttpReadData
DynamicLoader: winhttp.DLL/WinHttpReceiveResponse
DynamicLoader: winhttp.DLL/WinHttpSendRequest
DynamicLoader: winhttp.DLL/WinHttpSetDefaultProxyConfiguration
DynamicLoader: winhttp.DLL/WinHttpSetCredentials
DynamicLoader: winhttp.DLL/WinHttpSetOption
DynamicLoader: winhttp.DLL/WinHttpSetStatusCallback
DynamicLoader: winhttp.DLL/WinHttpSetTimeouts
DynamicLoader: winhttp.DLL/WinHttpWriteData
DynamicLoader: ADVAPI32.dll/SetThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: SHLWAPI.dll/
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: schannel.dll/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: ncrypt.dll/SslLookupCipherLengths
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: WINSTA.dll/WinStationRegisterNotificationEvent
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/NdrAsyncClientCall
DynamicLoader: bcryptprimitives.dll/GetSignatureInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptGetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: WINSTA.dll/WinStationEnumerateW
DynamicLoader: RPCRT4.dll/I_RpcExceptionFilter
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: WINSTA.dll/WinStationFreeMemory
DynamicLoader: WINSTA.dll/WinStationQueryInformationW
DynamicLoader: WS2_32.dll/
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
At least one IP Address, Domain, or File Name was found in a crypto call
ioc: http://crl.globalsign.net/root-r2.crl0
Encrypts a single HTTP packet
http_request: POST /service/update2?cup2key=10:1637314058&cup2hreq=f3a3632757e2ed21abde62c2dda37a705a4c234f534a77fafe42352ffc28b138 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Google Update/1.3.35.451;winhttp;cup-ecdsa X-Old-UID: cnt=0 X-Goog-Update-AppId: {430FD4D0-B729-4F61-AA34-91526481799D},{8A69D345-D564-463C-AFF1-A69D9E530F96} X-Goog-Update-Updater: Omaha-1.3.35.451 X-Goog-Update-Interactivity: bg X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Content-Length: 1030 Host: update.googleapis.com
A process created a hidden window
Process: 1Qwq8MjgewbM0R.exe -> "netsh" wlan show profile
CAPE extracted potentially suspicious content
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
services.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Injected PE Image: 32-bit executable
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
1Qwq8MjgewbM0R.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: CODE, entropy: 6.52, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00061a00, virtual_size: 0x00061874
unknown section: name: DATA, entropy: 5.02, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000b000, virtual_size: 0x0000ae28
unknown section: name: BSS, entropy: 0.00, characteristics: IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00000bf9
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.36, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00045800, virtual_size: 0x00045798
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R
Uses Windows utilities for basic functionality
command: "netsh" wlan show profile
Behavioural detection: Injection (Process Hollowing)
Injection: 1Qwq8MjgewbM0R.exe(3452) -> 1Qwq8MjgewbM0R.exe(2508)
Executed a process and injected code into it, probably while unpacking
Injection: 1Qwq8MjgewbM0R.exe(3452) -> 1Qwq8MjgewbM0R.exe(2508)
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe:Zone.Identifier
Sniffs keystrokes
SetWindowsHookExW: Process: 1Qwq8MjgewbM0R.exe(2508)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Tries to unhook or modify Windows functions monitored by Cuckoo
unhook: function_name: NtCreateSection, type: modification
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (472) called API GetSystemTimeAsFileTime 3254694 times
Steals private information from local Internet browsers
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
file: C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\showmoneytwo
data: C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe
CAPE detected the AgentTeslaV2 malware family
Creates a copy of itself
copy: C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe
Harvests credentials from local FTP client softwares
file: C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file: C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Attempts to create or modify system certificates
Anomalous binary characteristics
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.ENU
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.ENU.DLL
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.EN
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.EN.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\sxs.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\shfolder.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\user32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\iphlpapi.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\advapi32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe.config
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\System32\l_intl.nls
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.INI
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
C:\Users\Louise\AppData\Local\Temp\showmoneytwo\
C:\Users\Louise\AppData\Local\Temp\showmoneytwo
C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe:Zone.Identifier
C:\Users\Louise\AppData\Local\Amigo\User Data
C:\Users\Louise\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Louise\AppData\Local\Chromium\User Data
C:\Users\Louise\AppData\Local\Iridium\User Data
C:\Users\Louise\AppData\Local\QIP Surf\User Data
C:\Users\Louise\AppData\Local\Orbitum\User Data
C:\Users\Louise\AppData\Local\Elements Browser\User Data
C:\Users\Louise\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Louise\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Louise\AppData\Local\Comodo\Dragon\User Data
C:\Users\Louise\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Louise\AppData\Local\7Star\7Star\User Data
C:\Users\Louise\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Louise\AppData\Local\Coowon\Coowon\User Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Louise\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Louise\AppData\Local\Torch\User Data
C:\Users\Louise\AppData\Local\liebao\User Data
C:\Users\Louise\AppData\Local\CocCoc\Browser\User Data
C:\Users\Louise\AppData\Local\CentBrowser\User Data
C:\Users\Louise\AppData\Local\Kometa\User Data
C:\Users\Louise\AppData\Local\Chedot\User Data
C:\Users\Louise\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Louise\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Louise\AppData\Local\Vivaldi\User Data
C:\Users\Louise\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\*
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\51fb28e8a54a8d8f6021415d47477ab4\System.Security.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.INI
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Local State
C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\crypt32.dll
\Device\KsecDD
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Local\Microsoft\Edge\User Data
C:\Users\Louise\AppData\Local\Temp\vaultcli.dll
C:\Users\Louise\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Program Files (x86)\jDownloader\config\database.script
C:\cftp\Ftplist.txt
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Louise\AppData\Roaming\The Bat!
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Local\UCBrowser\*
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons.sqlite
C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Users\Louise\AppData\Roaming\Psi\profiles
C:\Users\Louise\AppData\Roaming\Psi+\profiles
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
\Device\NamedPipe\
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Louise\AppData\Local\Temp\Folder.lst
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Storage\
C:\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Users\Louise\AppData\Roaming\Claws-mail
C:\Users\Louise\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Louise\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Program Files (x86)\Google\Update\goopdate.dll
C:\Program Files (x86)\Google\Update\1.3.35.451\goopdate.dll
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\System32\msi.dll
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Windows\System32\version.dll
C:\Windows\System32\userenv.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\wtsapi32.dll
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
C:\Windows\System32\msimg32.dll
C:\Windows\System32\uxtheme.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\GoogleUpdate.ini
C:\Windows\System32
C:\Program Files (x86)
C:\Program Files (x86)\Google
C:\Program Files (x86)\Google\CrashReports
\??\pipe\GoogleCrashServices\S-1-5-18
C:\Program Files (x86)\Google\Update\1.3.35.451
C:\Program Files (x86)\Google\Update\1.3.35.451\goopdateres_en.dll
C:\Program Files (x86)\Google\Policies
C:\Program Files (x86)\Google\Update\1.3.35.451\psmachine.dll
C:\Program Files (x86)\Google\Update
C:\Program Files (x86)\Google\Update\Download
C:\Program Files (x86)\Google\Update\Download\*
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\*
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\81.0.4044.113\*
C:\Program Files (x86)\Google\Update\Install
C:\Program Files (x86)\Google\Update\Install\*.*
C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\*
C:\Windows\System32\winhttp.dll
C:\Windows\System32\webio.dll
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Windows\System32\dnsapi.dll
C:\Users\Louise\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\Louise\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\Louise\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
\??\PIPE\wkssvc
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe.config
C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\51fb28e8a54a8d8f6021415d47477ab4\System.Security.ni.dll
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Local State
\Device\KsecDD
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
\Device\NamedPipe\
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Program Files (x86)\Google\Update\1.3.35.451\goopdate.dll
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\System32\msi.dll
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Windows\System32\version.dll
C:\Windows\System32\userenv.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\wtsapi32.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
C:\Windows\System32\msimg32.dll
C:\Windows\System32\uxtheme.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files (x86)\Google\CrashReports
\??\pipe\GoogleCrashServices\S-1-5-18
C:\Program Files (x86)\Google\Update\1.3.35.451\goopdateres_en.dll
C:\Program Files (x86)\Google\Update\1.3.35.451\psmachine.dll
C:\Windows\System32\winhttp.dll
C:\Windows\System32\webio.dll
\??\PIPE\wkssvc
C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe
\??\PIPE\samr
\??\pipe\GoogleCrashServices\S-1-5-18
\??\PIPE\wkssvc
C:\Users\Louise\AppData\Local\Temp\showmoneytwo\showmoneytwo.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\diasymreader.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorsec.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\1Qwq8MjgewbM0R.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscordacwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1Qwq8MjgewbM0R.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\392b90fc\6b6298fc
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\1Qwq8MjgewbM0R.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\AADB50D7
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\showmoneytwo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\pv
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\Software\Google\Update\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\OemInstallTime
HKEY_LOCAL_MACHINE\Software\Google\UpdateDev\
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientStateMedium\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\usagestats
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\usagestats
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\uid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\old-uid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\eulaaccepted
HKEY_LOCAL_MACHINE\Software\Google\Enrollment\
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Enrollment\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\gupdate_service_name
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\Software\Google\Update\Clients\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\RegistrationUpdateHook
HKEY_LOCAL_MACHINE\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RegistrationUpdateHook
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\eulaaccepted
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\name
HKEY_USERS\
HKEY_USERS\.DEFAULT\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-19\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-19\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-20\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-20\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_Classes\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_Classes\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1339698970-4093829097-1161395185-1000_Classes\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-18\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\tttoken
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\iid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\brand
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ActivePingDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\RollCallDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfLastActivity
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfLastRollCall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfInstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ping_freshness
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\eulaaccepted
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\pv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\name
HKEY_USERS\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-19\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-19\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-20\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-20\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_Classes\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_Classes\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1339698970-4093829097-1161395185-1000_Classes\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-18\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\tttoken
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\cohort
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\iid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\brand
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ActivePingDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RollCallDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfLastActivity
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfLastRollCall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfInstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ping_freshness
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\InstallerProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\InstallerProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\oeminstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\oeminstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\UBR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\experiment_labels
HKEY_LOCAL_MACHINE\Software\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}\PersistedPingString
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}\PersistedPingTime
HKEY_LOCAL_MACHINE\Software\Google\Update\PersistedPings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\pv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\pv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\experiment_labels
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\experiment_labels
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\uid-create-time
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\uid-num-rotations
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
\x9f68\x95EY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\x9f68\x95EY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
\x9f68\x95EY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\SOFTWARE\Clients\StartMenuInternet
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Clients\StartMenuInternet\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\x9f68\x95EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\proxy
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\proxy\source
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Classes\Local Settings\MuiCache\1e4\52C64B7E
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_CLASSES\Local Settings\MuiCache\1E4\52C64B7E\LanguageList
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_CLASSES\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_CLASSES\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\My\Keys
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\CA
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\CA\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\trust
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\trust\
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort\hint
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort\name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\UpdateAvailableCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\UpdateAvailableSince
HKEY_LOCAL_MACHINE\Software\Google\Update\PersistedPings\{719B90FD-61B9-4541-A529-FF05E6291107}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{719B90FD-61B9-4541-A529-FF05E6291107}\PersistedPingString
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{719B90FD-61B9-4541-A529-FF05E6291107}\PersistedPingTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\LastChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\DownloadTimeRemainingMs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\DownloadProgressPercent
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\diasymreader.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorsec.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscordacwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\AADB50D7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\showmoneytwo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6f06001f\475dce40\c0\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\pv
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\OemInstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\usagestats
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\usagestats
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\eulaaccepted
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\gupdate_service_name
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9957D25-7EB7-42C8-AD32-06AF7776A788}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\RegistrationUpdateHook
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RegistrationUpdateHook
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\eulaaccepted
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\tttoken
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\iid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\brand
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ActivePingDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\RollCallDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfLastActivity
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfLastRollCall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfInstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ping_freshness
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\eulaaccepted
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\pv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}\name
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\lang
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\tttoken
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\iid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\brand
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ActivePingDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RollCallDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfLastActivity
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfLastRollCall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfInstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ping_freshness
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\oeminstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\oeminstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\UBR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\experiment_labels
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\experiment_labels
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\experiment_labels
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\old-uid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\uid-create-time
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\uid-num-rotations
\x9f68\x95EY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\x9f68\x95EY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
\x9f68\x95EY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Clients\StartMenuInternet\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\x9f68\x95EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\proxy\source
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_CLASSES\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_CLASSES\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1916A2AF346D399F50313C393200F14140456616\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2A83E9020591A55FC6DDAD3FB102794C52B24E70\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3A850044D8A195CD401A680C012CB0A3B5F8DC08\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E2136F38777AF4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\43D9BCB568E039D073A74A71D8511F7476089CC3\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\471C949A8143DB5AD5CDF1C972864A2504FA23C9\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\6431723036FD26DEA502792FA595922493030F97\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\80962AE4D6C5B442894E95A13E4A699E07D694CF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\86E817C81A5CA672FE000F36F878C19518D6F844\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8E5BD50D6AE686D65252F843A9D4B96D197730AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9845A431D51959CAF225322B4A4FE9F223CE6D15\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B533345D06F64516403C00DA03187D3BFEF59156\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B86E791620F759F17B8D25E38CA8BE32E7D5EAC2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C060ED44CBD881BD0EF86C0BA287DDCF8167478C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C57814708AB2BE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D018B62DC518907247DF50925BB09ACF4A5CB3AD\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F8A54E03AADC5692B850496A4C4630FFEAA29D83\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A863D74DEE97\Blob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\BlobLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\UpdateAvailableCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\UpdateAvailableSince
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\showmoneytwo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
HKEY_LOCAL_MACHINE\Software\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}\PersistedPingString
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{5597ACF5-61A4-40B3-9382-93B035698F74}\PersistedPingTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\pv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\pv
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000_CLASSES\Local Settings\MuiCache\1E4\52C64B7E\LanguageList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\proxy\source
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\RollCallDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfLastRollCall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\ping_freshness
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\DayOfInstall
HKEY_LOCAL_MACHINE\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort\hint
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort\name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\UpdateAvailableCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\UpdateAvailableSince
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ActivePingDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RollCallDayStartSec
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfLastActivity
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfLastRollCall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ping_freshness
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\DayOfInstall
HKEY_LOCAL_MACHINE\Software\Google\Update\PersistedPings\{719B90FD-61B9-4541-A529-FF05E6291107}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{719B90FD-61B9-4541-A529-FF05E6291107}\PersistedPingString
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{719B90FD-61B9-4541-A529-FF05E6291107}\PersistedPingTime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\LastChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\DownloadTimeRemainingMs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\DownloadProgressPercent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\uid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\old-uid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\InstallerProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\InstallerProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\iid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\tttoken
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\iid
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
kernel32.dll.FileTimeToSystemTime
kernel32.dll.GetModuleHandleW
kernel32.dll.VirtualFree
kernel32.dll.LoadLibraryW
kernel32.dll.SizeofResource
kernel32.dll.GetModuleFileNameW
kernel32.dll.CreateFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.VirtualProtect
kernel32.dll.CloseHandle
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.GetProcAddress
kernel32.dll.GetFileSize
kernel32.dll.LCMapStringW
kernel32.dll.LCMapStringA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.HeapAlloc
kernel32.dll.GetStartupInfoW
kernel32.dll.DeleteCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.HeapFree
kernel32.dll.HeapReAlloc
kernel32.dll.HeapCreate
kernel32.dll.Sleep
kernel32.dll.ExitProcess
kernel32.dll.WriteFile
kernel32.dll.GetStdHandle
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetCommandLineW
kernel32.dll.SetHandleCount
kernel32.dll.GetFileType
kernel32.dll.GetStartupInfoA
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.InterlockedIncrement
kernel32.dll.SetLastError
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetLastError
kernel32.dll.InterlockedDecrement
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetTickCount
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.TerminateProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.RtlUnwind
kernel32.dll.GetCPInfo
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.HeapSize
kernel32.dll.GetLocaleInfoA
kernel32.dll.WideCharToMultiByte
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.EnumProcessModules
shlwapi.dll.StrStrIW
shlwapi.dll.PathFileExistsW
mscoree.dll._CorExeMain
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll.GetCLRFunction
mscoree.dll.IEE
mscoreei.dll.IEE
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll.IEE
ntdll.dll.ZwCreateSection
kernel32.dll.MapViewOfFile
kernel32.dll.LoadLibraryExW
mscoreei.dll._CorExeMain
mscorwks.dll._CorExeMain
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
mscorjit.dll.getJit
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
cryptsp.dll.CryptAcquireContextW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.MkParseDisplayName
oleaut32.dll.#200
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
kernel32.dll.CreateEventW
kernel32.dll.SwitchToThread
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
ole32.dll.IIDFromString
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
ole32.dll.CoUninitialize
oleaut32.dll.#500
cryptsp.dll.CryptGetHashParam
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtGetCurrentProcessorNumber
kernel32.dll.CreateDirectoryW
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
user32.dll.GetLastInputInfo
kernel32.dll.DeleteFileW
shfolder.dll.SHGetFolderPathW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.FindNextFileW
kernel32.dll.ReadFile
oleaut32.dll.#204
oleaut32.dll.#203
oleaut32.dll.#179
kernel32.dll.UnmapViewOfFile
kernel32.dll.LocalFree
crypt32.dll.CryptUnprotectData
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.NdrClientCall2
cryptbase.dll.SystemFunction041
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.CreatePipe
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.CreateProcessW
kernel32.dll.GetConsoleOutputCP
oleaut32.dll.#201
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsLookupClrGuid
kernel32.dll.ReleaseActCtx
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
oleaut32.dll.#9
oleaut32.dll.#4
ole32.dll.CoCreateGuid
user32.dll.SetClipboardViewer
ole32.dll.OleInitialize
ole32.dll.OleGetClipboard
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalFree
user32.dll.SendMessageW
user32.dll.SetWindowsHookExW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
sechost.dll.ConvertSidToStringSidW
ole32.dll.CoTaskMemRealloc
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateSemaphoreW
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
goopdate.dll.DllEntry
kernel32.dll.RtlCaptureStackBackTrace
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CreateMutexExW
dbghelp.dll.MiniDumpWriteDump
rpcrt4.dll.UuidCreate
psmachine.dll.DllGetClassObject
psmachine.dll.DllCanUnloadNow
ntdll.dll.RtlGetVersion
kernel32.dll.GetNativeSystemInfo
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpCheckPlatform
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpCreateUrl
winhttp.dll.WinHttpDetectAutoProxyConfigUrl
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpQueryAuthSchemes
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpSetDefaultProxyConfiguration
winhttp.dll.WinHttpSetCredentials
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSetStatusCallback
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpWriteData
advapi32.dll.SetThreadToken
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
nsi.dll.NsiFreeTable
advapi32.dll.RevertToSelf
shlwapi.dll.StrCmpNW
shlwapi.dll.#153
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
ws2_32.dll.WSASend
ws2_32.dll.WSARecv
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
ncrypt.dll.SslLookupCipherLengths
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
winsta.dll.WinStationRegisterNotificationEvent
advapi32.dll.CreateWellKnownSid
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcAsyncInitializeHandle
rpcrt4.dll.NdrAsyncClientCall
bcryptprimitives.dll.GetSignatureInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptDestroyKey
cryptsp.dll.CryptGetKeyParam
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptVerifySignature
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
winsta.dll.WinStationEnumerateW
rpcrt4.dll.I_RpcExceptionFilter
winsta.dll.WinStationFreeMemory
winsta.dll.WinStationQueryInformationW
ws2_32.dll.#3
crypt32.dll.CertFreeCertificateContext
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
"C:\Users\Louise\AppData\Local\Temp\1Qwq8MjgewbM0R.exe"
"netsh" wlan show profile
C:\Windows\system32\lsass.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
C:\Windows\System32\svchost.exe -k netsvcs
Global\CLR_CASOFF_MUTEX
Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Global\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}
Global\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}
Global\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}
VaultSvc
gupdate

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0046282c 0x00000000 0x000ca60f 4.0 1992-06-19 22:22:17 a3bfafd3839d7a926bcc393a99921236 b196788ae84ca5d7e6327df18fc58a89 0ab954406964a00a463561e23b1fff82

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
CODE 0x00000400 0x00001000 0x00061874 0x00061a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.52
DATA 0x00061e00 0x00063000 0x0000ae28 0x0000b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.02
BSS 0x0006ce00 0x0006e000 0x00000bf9 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0006ce00 0x0006f000 0x000022b0 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.95
.tls 0x0006f200 0x00072000 0x00000010 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0006f200 0x00073000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x0006f400 0x00074000 0x00007188 0x00007200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.65
.rsrc 0x00076600 0x0007c000 0x00045798 0x00045800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 7.36

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x000babe4 0x000003af LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000bc1c8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_ICON 0x000bc2b0 0x000025a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.75 None
RT_DIALOG 0x000be858 0x00000052 LANG_NEUTRAL SUBLANG_NEUTRAL 2.56 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000c0db4 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_RCDATA 0x000c160c 0x000000ea LANG_ENGLISH SUBLANG_ENGLISH_US 7.05 None
RT_RCDATA 0x000c160c 0x000000ea LANG_ENGLISH SUBLANG_ENGLISH_US 7.05 None
RT_RCDATA 0x000c160c 0x000000ea LANG_ENGLISH SUBLANG_ENGLISH_US 7.05 None
RT_RCDATA 0x000c160c 0x000000ea LANG_ENGLISH SUBLANG_ENGLISH_US 7.05 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000c1770 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_ICON 0x000c1784 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None

Imports

0x46f13c VirtualFree
0x46f140 VirtualAlloc
0x46f144 LocalFree
0x46f148 LocalAlloc
0x46f14c GetVersion
0x46f150 GetCurrentThreadId
0x46f15c VirtualQuery
0x46f160 WideCharToMultiByte
0x46f164 MultiByteToWideChar
0x46f168 lstrlenA
0x46f16c lstrcpynA
0x46f170 LoadLibraryExA
0x46f174 GetThreadLocale
0x46f178 GetStartupInfoA
0x46f17c GetProcAddress
0x46f180 GetModuleHandleA
0x46f184 GetModuleFileNameA
0x46f188 GetLocaleInfoA
0x46f18c GetCommandLineA
0x46f190 FreeLibrary
0x46f194 FindFirstFileA
0x46f198 FindClose
0x46f19c ExitProcess
0x46f1a0 WriteFile
0x46f1a8 RtlUnwind
0x46f1ac RaiseException
0x46f1b0 GetStdHandle
0x46f1b8 GetKeyboardType
0x46f1bc LoadStringA
0x46f1c0 MessageBoxA
0x46f1c4 CharNextA
0x46f1cc RegQueryValueExA
0x46f1d0 RegOpenKeyExA
0x46f1d4 RegCloseKey
0x46f1dc SysFreeString
0x46f1e0 SysReAllocStringLen
0x46f1e4 SysAllocStringLen
0x46f1ec TlsSetValue
0x46f1f0 TlsGetValue
0x46f1f4 LocalAlloc
0x46f1f8 GetModuleHandleA
0x46f200 RegQueryValueExA
0x46f204 RegOpenKeyExA
0x46f208 RegCloseKey
0x46f210 lstrcpyA
0x46f214 WriteFile
0x46f21c WaitForSingleObject
0x46f220 VirtualQuery
0x46f224 VirtualAlloc
0x46f228 Sleep
0x46f22c SizeofResource
0x46f230 SetThreadLocale
0x46f234 SetFilePointer
0x46f238 SetEvent
0x46f23c SetErrorMode
0x46f240 SetEndOfFile
0x46f244 ResetEvent
0x46f248 ReadFile
0x46f24c MulDiv
0x46f250 LockResource
0x46f254 LoadResource
0x46f258 LoadLibraryA
0x46f264 GlobalUnlock
0x46f268 GlobalReAlloc
0x46f26c GlobalHandle
0x46f270 GlobalLock
0x46f274 GlobalFree
0x46f278 GlobalFindAtomA
0x46f27c GlobalDeleteAtom
0x46f280 GlobalAlloc
0x46f284 GlobalAddAtomA
0x46f288 GetVersionExA
0x46f28c GetVersion
0x46f290 GetTickCount
0x46f294 GetThreadLocale
0x46f29c GetSystemTime
0x46f2a0 GetSystemInfo
0x46f2a4 GetStringTypeExA
0x46f2a8 GetStdHandle
0x46f2ac GetProcAddress
0x46f2b0 GetModuleHandleA
0x46f2b4 GetModuleFileNameA
0x46f2b8 GetLocaleInfoA
0x46f2bc GetLocalTime
0x46f2c0 GetLastError
0x46f2c4 GetFullPathNameA
0x46f2c8 GetFileAttributesA
0x46f2cc GetDiskFreeSpaceA
0x46f2d0 GetDateFormatA
0x46f2d4 GetCurrentThreadId
0x46f2d8 GetCurrentProcessId
0x46f2dc GetCPInfo
0x46f2e0 GetACP
0x46f2e4 FreeResource
0x46f2e8 InterlockedExchange
0x46f2ec FreeLibrary
0x46f2f0 FormatMessageA
0x46f2f4 FindResourceA
0x46f2f8 FindFirstFileA
0x46f2fc FindClose
0x46f308 ExitThread
0x46f30c EnumCalendarInfoA
0x46f318 CreateThread
0x46f31c CreateFileA
0x46f320 CreateEventA
0x46f324 CompareStringA
0x46f328 CloseHandle
0x46f330 VerQueryValueA
0x46f338 GetFileVersionInfoA
0x46f340 UnrealizeObject
0x46f344 StretchBlt
0x46f348 SetWindowOrgEx
0x46f34c SetWinMetaFileBits
0x46f350 SetViewportOrgEx
0x46f354 SetTextColor
0x46f358 SetStretchBltMode
0x46f35c SetROP2
0x46f360 SetPixel
0x46f364 SetEnhMetaFileBits
0x46f368 SetDIBColorTable
0x46f36c SetBrushOrgEx
0x46f370 SetBkMode
0x46f374 SetBkColor
0x46f378 SelectPalette
0x46f37c SelectObject
0x46f380 SelectClipRgn
0x46f384 SaveDC
0x46f388 RestoreDC
0x46f38c Rectangle
0x46f390 RectVisible
0x46f394 RealizePalette
0x46f398 Polyline
0x46f39c PlayEnhMetaFile
0x46f3a0 PathToRegion
0x46f3a4 PatBlt
0x46f3a8 MoveToEx
0x46f3ac MaskBlt
0x46f3b0 LineTo
0x46f3b4 IntersectClipRect
0x46f3b8 GetWindowOrgEx
0x46f3bc GetWinMetaFileBits
0x46f3c0 GetTextMetricsA
0x46f3cc GetStockObject
0x46f3d0 GetPixel
0x46f3d4 GetPaletteEntries
0x46f3d8 GetObjectA
0x46f3e4 GetEnhMetaFileBits
0x46f3e8 GetDeviceCaps
0x46f3ec GetDIBits
0x46f3f0 GetDIBColorTable
0x46f3f4 GetDCOrgEx
0x46f3fc GetClipRgn
0x46f400 GetClipBox
0x46f404 GetBrushOrgEx
0x46f408 GetBitmapBits
0x46f40c ExcludeClipRect
0x46f410 DeleteObject
0x46f414 DeleteEnhMetaFile
0x46f418 DeleteDC
0x46f41c CreateSolidBrush
0x46f420 CreateRectRgn
0x46f424 CreatePenIndirect
0x46f428 CreatePalette
0x46f430 CreateFontIndirectA
0x46f434 CreateDIBitmap
0x46f438 CreateDIBSection
0x46f43c CreateCompatibleDC
0x46f444 CreateBrushIndirect
0x46f448 CreateBitmap
0x46f44c CopyEnhMetaFileA
0x46f450 BitBlt
0x46f458 CreateWindowExA
0x46f45c WindowFromPoint
0x46f460 WinHelpA
0x46f464 WaitMessage
0x46f468 UpdateWindow
0x46f46c UnregisterClassA
0x46f470 UnhookWindowsHookEx
0x46f474 TranslateMessage
0x46f47c TrackPopupMenu
0x46f484 ShowWindow
0x46f488 ShowScrollBar
0x46f48c ShowOwnedPopups
0x46f490 ShowCursor
0x46f494 SetWindowsHookExA
0x46f498 SetWindowPos
0x46f49c SetWindowPlacement
0x46f4a0 SetWindowLongA
0x46f4a4 SetTimer
0x46f4a8 SetScrollRange
0x46f4ac SetScrollPos
0x46f4b0 SetScrollInfo
0x46f4b4 SetRect
0x46f4b8 SetPropA
0x46f4bc SetParent
0x46f4c0 SetMenuItemInfoA
0x46f4c4 SetMenu
0x46f4c8 SetForegroundWindow
0x46f4cc SetFocus
0x46f4d0 SetCursor
0x46f4d4 SetClassLongA
0x46f4d8 SetCapture
0x46f4dc SetActiveWindow
0x46f4e0 SendMessageA
0x46f4e4 ScrollWindow
0x46f4e8 ScreenToClient
0x46f4ec RemovePropA
0x46f4f0 RemoveMenu
0x46f4f4 ReleaseDC
0x46f4f8 ReleaseCapture
0x46f504 RegisterClassA
0x46f508 RedrawWindow
0x46f50c PtInRect
0x46f510 PostQuitMessage
0x46f514 PostMessageA
0x46f518 PeekMessageA
0x46f51c OffsetRect
0x46f520 OemToCharA
0x46f524 MessageBoxA
0x46f528 MapWindowPoints
0x46f52c MapVirtualKeyA
0x46f530 LockWindowUpdate
0x46f534 LoadStringA
0x46f538 LoadKeyboardLayoutA
0x46f53c LoadIconA
0x46f540 LoadCursorA
0x46f544 LoadBitmapA
0x46f548 KillTimer
0x46f54c IsZoomed
0x46f550 IsWindowVisible
0x46f554 IsWindowEnabled
0x46f558 IsWindow
0x46f55c IsRectEmpty
0x46f560 IsIconic
0x46f564 IsDialogMessageA
0x46f568 IsChild
0x46f56c InvalidateRect
0x46f570 IntersectRect
0x46f574 InsertMenuItemA
0x46f578 InsertMenuA
0x46f57c InflateRect
0x46f584 GetWindowTextA
0x46f588 GetWindowRect
0x46f58c GetWindowPlacement
0x46f590 GetWindowLongA
0x46f594 GetWindowDC
0x46f598 GetTopWindow
0x46f59c GetSystemMetrics
0x46f5a0 GetSystemMenu
0x46f5a4 GetSysColorBrush
0x46f5a8 GetSysColor
0x46f5ac GetSubMenu
0x46f5b0 GetScrollRange
0x46f5b4 GetScrollPos
0x46f5b8 GetScrollInfo
0x46f5bc GetPropA
0x46f5c0 GetParent
0x46f5c4 GetWindow
0x46f5c8 GetMessagePos
0x46f5cc GetMenuStringA
0x46f5d0 GetMenuState
0x46f5d4 GetMenuItemInfoA
0x46f5d8 GetMenuItemID
0x46f5dc GetMenuItemCount
0x46f5e0 GetMenu
0x46f5e4 GetLastActivePopup
0x46f5e8 GetKeyboardState
0x46f5f0 GetKeyboardLayout
0x46f5f4 GetKeyState
0x46f5f8 GetKeyNameTextA
0x46f5fc GetIconInfo
0x46f600 GetForegroundWindow
0x46f604 GetFocus
0x46f608 GetDlgItem
0x46f60c GetDesktopWindow
0x46f610 GetDCEx
0x46f614 GetDC
0x46f618 GetCursorPos
0x46f61c GetCursor
0x46f620 GetClipboardData
0x46f624 GetClientRect
0x46f628 GetClassNameA
0x46f62c GetClassInfoA
0x46f630 GetCapture
0x46f634 GetActiveWindow
0x46f638 FrameRect
0x46f63c FindWindowA
0x46f640 FillRect
0x46f644 EqualRect
0x46f648 EnumWindows
0x46f64c EnumThreadWindows
0x46f650 EndPaint
0x46f654 EndDeferWindowPos
0x46f658 EnableWindow
0x46f65c EnableScrollBar
0x46f660 EnableMenuItem
0x46f664 DrawTextA
0x46f668 DrawMenuBar
0x46f66c DrawIconEx
0x46f670 DrawIcon
0x46f674 DrawFrameControl
0x46f678 DrawFocusRect
0x46f67c DrawEdge
0x46f680 DispatchMessageA
0x46f684 DestroyWindow
0x46f688 DestroyMenu
0x46f68c DestroyIcon
0x46f690 DestroyCursor
0x46f694 DeleteMenu
0x46f698 DeferWindowPos
0x46f69c DefWindowProcA
0x46f6a0 DefMDIChildProcA
0x46f6a4 DefFrameProcA
0x46f6a8 CreatePopupMenu
0x46f6ac CreateMenu
0x46f6b0 CreateIcon
0x46f6b4 ClientToScreen
0x46f6b8 CheckMenuItem
0x46f6bc CallWindowProcA
0x46f6c0 CallNextHookEx
0x46f6c4 BeginPaint
0x46f6c8 BeginDeferWindowPos
0x46f6cc CharNextA
0x46f6d0 CharLowerBuffA
0x46f6d4 CharLowerA
0x46f6d8 CharToOemA
0x46f6dc AdjustWindowRectEx
0x46f6e8 Sleep
0x46f6f0 SafeArrayPtrOfIndex
0x46f6f4 SafeArrayGetUBound
0x46f6f8 SafeArrayGetLBound
0x46f6fc SafeArrayCreate
0x46f700 VariantChangeType
0x46f704 VariantCopy
0x46f708 VariantClear
0x46f70c VariantInit
0x46f71c ImageList_Write
0x46f720 ImageList_Read
0x46f730 ImageList_DragMove
0x46f734 ImageList_DragLeave
0x46f738 ImageList_DragEnter
0x46f73c ImageList_EndDrag
0x46f740 ImageList_BeginDrag
0x46f744 ImageList_Remove
0x46f748 ImageList_DrawEx
0x46f74c ImageList_Replace
0x46f750 ImageList_Draw
0x46f760 ImageList_Add
0x46f768 ImageList_Destroy
0x46f76c ImageList_Create
0x46f770 InitCommonControls
0x46f778 GetSaveFileNameA
0x46f77c GetOpenFileNameA

This program must be run under Win32
`DATA
.idata
.rdata
P.reloc
P.rsrc
Boolean
False
Integer
Cardinal
String
TObject
TObject
System
IInterface
System
TInterfacedObject
SVWUQ
Z]_^[
YZ]_^[
w;;t$
SVWUQ
Z]_^[
YZ]_^[
Uhd"@
_^[YY]
_^[Y]
YZ]_^[
_^[Y]
C<"u1S
Q<"u8S
,$YXZ
~KxI[)
BkU'9
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
_^[YY]
PPRTj
YZXtp
YZXtm1
ZTUWVSPRTj
t=HtN
Ph~;@
Uhf<@
t-Rf;
t f;J
SVWRP
Z_^[X
tVSVWU
t1SVW
t-Rf;
t f;J
kernel32.dll
GetLongPathNameA
Software\Borland\Locales
Software\Borland\Delphi\Locales
_^[YY]
FFF;M
^[YY]
odSelected
odGrayed
odDisabled
odChecked
odFocused
odDefault
odHotLight
odInactive
odNoAccel
odNoFocusRect
odReserved1
odReserved2
odComboBoxEdit
Windows
TOwnerDrawState
_^[Y]
_^[Y]
_^[Y]
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
TFileName
Exception
EHeapException
EOutOfMemory
EInOutError
EExternal
EExternalException
EIntError
EDivByZero
ERangeError
EIntOverflow
EMathError
EInvalidOp
EZeroDivide
EOverflow
EUnderflow
EInvalidPointer
EInvalidCast
EConvertError
EAccessViolation
EPrivilege
EStackOverflow
EControlC
EVariantError
EAssertionFailed
EAbstractError
EIntfCastError
EOSError
ESafecallException
SysUtils
SysUtils
TThreadLocalCounter
$TMultiReadExclusiveWriteSynchronizer
SWSVj
False
_^[Y]
TStrData
^[YY]
$Z_^[
$Z_^[
^[YY]
<*t"<0r=<9w9i
INFNAN
QS<$t
_^[YY]
t%HtIHtm
AM/PM
_^[YY]
SVWUQ
$Z]_^[
_^[Y]
QQQQQQSVW3
QQQQQSVW
D$PPj
D$LPj
_^[Y]
_^[YY]
TErrorRec
TExceptRec
t<HtH
$YZ^[
$YZ^[
WUWSj
YZ]_^[
_^[Y]
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
SVWUQ
(Z]_^[
SVWUQ
;w$t|
Z]_^[
;F$t=
;C$t4
_^[Y]
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
TCustomVariantType
TCustomVariantType
Variants
EVariantInvalidOpError
EVariantTypeCastError
EVariantOverflowError
EVariantInvalidArgError`
EVariantBadVarTypeError
EVariantBadIndexError
EVariantArrayLockedError
EVariantArrayCreateError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantUnexpectedError(
EVariantDispatchError
t?Htb
QQQQSV
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
String
Array
ByRef
Variants
_^[YY]
_^[Y]
SVWUQ
Z]_^[
_^[Y]
False
_^[Y]
_^[YY]
$YZ^[
TAlignment
taLeftJustify
taRightJustify
taCenter
Classes
TLeftRight
Classes
TBiDiMode
bdLeftToRight
bdRightToLeft
bdRightToLeftNoAlign
bdRightToLeftReadingOnly
Classes
ssShift
ssAlt
ssCtrl
ssLeft
ssRight
ssMiddle
ssDouble
Classes
TShiftState
THelpContext
THelpType
htKeyword
htContext
Classes
TShortCut
TNotifyEvent
Sender
TObject
EStreamError
EFileStreamError
EFCreateError
EFOpenError
EFilerErrorD
EReadError
EWriteError
EClassNotFound
EResNotFound
EListError
EBitsError
EStringListError
EComponentError
EOutOfResourcest
EInvalidOperation
TList
TThreadList
TBits
TPersistent
TPersistent
Classes
TInterfacedPersistent
TInterfacedPersistent
Classes
TCollectionItem
TCollectionItem
Classes
TCollection
Classes
IStringsAdapter
Classes
TStrings
TStringsL
Classes
TStringItem
TStringList$
TStringList|
Classes
TStream
THandleStream
TFileStream
TCustomMemoryStreaml!A
TMemoryStream
TResourceStream
TStreamAdapter
TClassFinder
TFiler
TReader
EThreadX%A
TComponentNamel%A
IDesignerNotify
Classes
TComponent
TComponent
Classes
Name<
TBasicActionLink
TBasicAction
TBasicActiont(A
Classes
TIdentMapEntry
TRegGroup
TRegGroups
YZ]_^[
_^[Y]
_^[Y]
SVWUQ
u%CNu
Z]_^[
SVWUQ
$Z]_^[
Uh3-A
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
UhC0A
SVWUQ
$Z]_^[
Uh+3A
_^[YY]
Uh|4A
Uha5A
UhK6A
TIntConst
_^[Y]
_^[Y]
_^[YY]
_^[Y]
Uh*;A
;5H&A
UhP=A
Uh4AA
SVWUQ
Z]_^[
UhZDA
PhtFA
_^[Y]
UhIHA
%s[%d]
_^[Y]
W<CNu
UhtOA
PhdZA
Strings
_^[Y]
UhpRA
UhNRA
UhWUA
S$_^[Y]
^[YY]
UhmWA
UhPWA
_^[YY]
SVWUQ
SdZ]_^[
UhXXA
Uh3XA
UhTZA
Uh7ZA
SVWUQ
$Z]_^[
^[YY]
Uh\eA
_^[Y]
TPropFixup
TPropIntfFixup
_^[YY]
Owner
UhapA
_^[YY]
Uh#rA
_^[Y]
Uh/vA
C0_^[
UhWxA
Classes
_^[Y]
UhX|A
False
_^[YY]
QQQQ3
%s_%d
_^[YY]
^[YY]
QQQQQQQS
SVWUQ
Z]_^[
_^[Y]
S _^[
SVWUQ
Z]_^[
YZ_^[
SVWUQ
Z]_^[
G0_^[
;CDt:
R0_^[]
_^[YY]
TPUtilWindow
TColor
EInvalidGraphic
EInvalidGraphicOperation
TFontPitch
fpDefault
fpVariable
fpFixed
Graphics
TFontName
TFontCharset
TFontStyle
fsBold
fsItalic
fsUnderline
fsStrikeOut
Graphics
TFontStyles
TPenStyle
psSolid
psDash
psDot
psDashDot
psDashDotDot
psClear
psInsideFrame
Graphics
TPenMode
pmBlack
pmWhite
pmNop
pmNot
pmCopy
pmNotCopy
pmMergePenNot
pmMaskPenNot
pmMergeNotPen
pmMaskNotPen
pmMerge
pmNotMerge
pmMask
pmNotMask
pmXor
pmNotXor
Graphics
TBrushStyle
bsSolid
bsClear
bsHorizontal
bsVertical
bsFDiagonal
bsBDiagonal
bsCross
bsDiagCross
Graphics
TGraphicsObject
TGraphicsObject
Graphics
IChangeNotifier
Graphics
TFont
TFont
Graphics
CharsetX
Color<
Heightx
Name4
Pitch<
Style
TPenH
Graphics
Colort
Style<
Width
TBrush
TBrushH
Graphics
Color0
Style
TCanvas0
TCanvas
Graphics
Brush<
CopyMode
Font\
TProgressStage
psStarting
psRunning
psEnding
Graphics
TProgressEvent
Sender
TObject
Stage
TProgressStage
PercentDone
RedrawNow
Boolean
TRect
String
TGraphic
TGraphich
Graphics
TPicture
TPicture
Graphics
TSharedImage
TMetafileImage
TMetafile
TMetafile(
Graphics
TBitmapImage
TBitmap
TBitmaph
Graphics
TIconImage
TIcon
TIcon
Graphics
TResourceManager
^[YY]
_^[YY]
_^[Y]
^[YY]
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clRed
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
Default
_^[Y]
$YZ^[
E$PVSj
YZ_^[
$Z_^[
_^[YY]
C ;C$s
TFileFormat
TFileFormatsList
QQQQSV
_^[YY]
%s%s (*.%s)|*.%2:s
%s*.%s
%s (%s)|%1:s|%s
TClipboardFormats
_^[YY]
_^[Y]
3TjdP
kD$TdP
3TjdP
kD$PdP
EMFt
?TjdR
D$LPkD$XdPV
?TjdR
D$HPkD$TdPV
|$( EMFt
^[YY]
TBitmapCanvas
TBitmapCanvasH
Graphics
Uhv B
UhT B
Uh* B
UhK#B
@pPV3
Uh%(B
Uhg+B
Uh+.B
_^[YY]
Uh73B
Uhs2B
<$BMt
Uh?5B
T]_^[
s(;~ t8
;V4tA
D$*Ph
Uh.<B
C(_^[Y]
UhIAB
\$4Vj
SVWjH
TPatternManagerSV
_^[YY]
UhIFB
TObjectListLHB
TOrderedList
TStack
Uh=JB
comctl32.dll
InitCommonControlsEx
_^[Y]
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
>(r[j
GetMonitorInfo
DISPLAY
>(r[j
GetMonitorInfoA
DISPLAY
>(r[j
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
UhUSB
IHelpSelector
HelpIntfs
IHelpSystem
HelpIntfs
ICustomHelpViewer
HelpIntfs
IExtendedHelpViewer
HelpIntfs
ISpecialWinHelpViewerPTB
HelpIntfs
IHelpManager
HelpIntfs
EHelpSystemException
THelpViewerNode
THelpManager
R(FKu
Uh5_B
Uh7`B
Uh;aB
UhMbB
_^[Y]
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
Uh!gB
TSynchroObject
TCriticalSection
UhSnB
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
UhtrB
TEdgeBorder
ebLeft
ebTop
ebRight
ebBottom
ToolWin
TEdgeBorders
TEdgeStyle
esNone
esRaised
esLowered
ToolWin
TToolWindow
TToolWindow
ToolWin
Uh>wB
Uh!xB
UhYxB
IShellFolder
ShlObj
UhEyB
Uh}yB
TCommonDialog
TCommonDialog
Dialogs
Ctl3D
HelpContext
OnClose
OnShow
TOpenOption
ofReadOnly
ofOverwritePrompt
ofHideReadOnly
ofNoChangeDir
ofShowHelp
ofNoValidate
ofAllowMultiSelect
ofExtensionDifferent
ofPathMustExist
ofFileMustExist
ofCreatePrompt
ofShareAware
ofNoReadOnlyReturn
ofNoTestFileCreate
ofNoNetworkButton
ofNoLongNames
ofOldStyleDialog
ofNoDereferenceLinks
ofEnableIncludeNotify
ofEnableSizing
ofDontAddToRecent
ofForceShowHidden
Dialogs
TOpenOptions
TOpenOptionEx
ofExNoPlacesBar
Dialogs
TOpenOptionsEx
TOFNotifyEx
TIncludeItemEvent
TOFNotifyEx
Include
Boolean
TOpenDialog
TOpenDialog
Dialogs
DefaultExt
FileName
Filter<
FilterIndex
InitialDir
Options
OptionsEx
Title
OnCanClose
OnFolderChange
OnSelectionChange
OnTypeChange }B
OnIncludeItemSVW
_^[Y]
_^[Y]
;Ght4
FileEditStyle
8Z|03
@\@t*U
u"Vh_
Cancel
Abort
Retry
Ignore
NoToAll
YesToAll
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
TImage
TImage
ExtCtrls
Align
Anchors
AutoSize
Centerp
Constraints
DragCursor$
DragKind
DragMode
Enabled
IncrementalDisplay
ParentShowHint
PopupMenu
Proportional
ShowHint
Stretch
Transparent
Visible
OnClickT
OnContextPopup
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag,
OnMouseDown
OnMouseMove,
OnMouseUp
OnProgress
OnStartDockx
OnStartDrag
TTimer
TTimer
ExtCtrls
Enabled|
Interval
OnTimer
TCustomPanel
TCustomPanel
ExtCtrls
TPanel
TPanel
ExtCtrls7
AlignH
Alignment
Anchors
AutoSize\
BevelInner\
BevelOuterD
BevelWidth
BorderWidth
BorderStylep
CaptionX
Colorp
Constraints
Ctl3D
UseDockManager
DockSite
DragCursor$
DragKind
DragMode
Enabled
FullRepaint
Locked
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHintX
TabOrder
TabStop
VisibleX
OnCanResize
OnClick
OnConstrainedResizeT
OnContextPopup
OnDockDrop
OnDockOver
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnEnter
OnExit
OnGetSiteInfo,
OnMouseDown
OnMouseMove,
OnMouseUp
OnResize
OnStartDockx
OnStartDrag
OnUnDock
TCustomRadioGroup
TCustomRadioGroup
ExtCtrls
TRadioGroup
TRadioGroup0
ExtCtrls$
Align
Anchors
BiDiModep
CaptionX
Color<
Columns
Ctl3D
DragCursor$
DragKind
DragMode
Enabled
Font<
ItemIndex
Itemsp
Constraints
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHintX
TabOrder
TabStop
Visible
OnClickT
OnContextPopup
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnEnter
OnExit
OnStartDockx
OnStartDrag
NaturalNumber
TCanResizeEvent
Sender
TObject
NewSize
Integer
Accept
Boolean
TResizeStyle
rsNone
rsLine
rsUpdate
rsPattern
ExtCtrls
TSplitter
TSplitterH
ExtCtrls
Align
AutoSnap
BeveledX
Color
Cursorp
Constraints<
MinSize
ParentColor
ResizeStyle
Visible<
WidthX
OnCanResize
OnMoved
OnPaint
_^[Y]
_^[Y]
TGroupButton
TGroupButton
ExtCtrls
_^[Y]
_^[YY]
QdGNu
Delphi Picture
Delphi Component
TButtonLayout
blGlyphLeft
blGlyphRight
blGlyphTop
blGlyphBottom
Buttons
TNumGlyphs
TSpeedButtonActionLink
TSpeedButton
TSpeedButton
Buttons
Action
AllowAllUp
Anchors
BiDiModep
Constraints<
GroupIndex
Downp
Caption
Enabled
Glyph,
Layout<
Margin
NumGlyphs
ParentFont
ParentShowHint
PopupMenu
ShowHint<
Spacing
Transparent
Visible
OnClick
OnDblClick,
OnMouseDown
OnMouseMove,
OnMouseUp
TGlyphList
TGlyphList
Buttons
TGlyphCache8
TButtonGlyph
SVWUQ
Z]_^[
_^[Y]
_^[Y]
Y^[Y]
TOpenPictureDialog
TOpenPictureDialog
ExtDlgs
Filter
TSavePictureDialog
TSavePictureDialog
ExtDlgs
TSilentPaintPanel
TSilentPaintPanel
ExtDlgs
_^[YY]
_^[YY]
PicturePanel
PictureLabel
PreviewButton
PREVIEWGLYPH
PaintPanel
PaintBox
DLGTEMPLATE
_^[YY]
PreviewForm
Panel
Image
DLGTEMPLATE
MAPI32.DLL
TConversion
TConversionFormat
TCoolBand
TCoolBand
ComCtrls
Bitmap
BorderStyle
BreakX
ColorH
Control
FixedBackground
FixedSize
HorizontalOnlyh
ImageIndex<
MinHeight<
MinWidth
ParentColor
ParentBitmap
Visible<
Width
TCoolBands
TCoolBands
ComCtrls
TCoolBandMaximize
bmNone
bmClick
bmDblClick
ComCtrls
TCoolBar
TCoolBar
ComCtrls1
Align
Anchors
AutoSize
BandBorderStyleX
BandMaximize0
BorderWidthX
Colorp
Constraints
Ctl3D
DockSite
DragCursor$
DragKind
DragMode
EdgeBorders0sB
EdgeInner0sB
EdgeOuter
Enabled
FixedSize
FixedOrder
Font0
Images
ParentColor
ParentFont
ParentShowHint
PopupMenu
ShowHint
ShowText
Vertical
Visible
OnChange
OnClickT
OnContextPopup
OnDblClick
OnDockDrop
OnDockOver
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnGetSiteInfo,
OnMouseDown
OnMouseMove,
OnMouseUp
OnResize
OnStartDockx
OnStartDrag
OnUnDock
comctl32.dll
_^[Y]
;s(tT
ReBarWindow32
Uhm"C
UhD$C
Uh!&C
Uhu%C
Uhk*C
Uh+/C
_^[YY]
Uh>3C
|]_^[
R|^Y]
_^[YY]
_^[Y]
Uh7=C
TThemeServices
Theme manager
2001, 2002 Mike Lischke
^[YY]
!"#$%
Uh_IC
TCustomGroupBox
TCustomGroupBox
StdCtrls
TTextLayout
tlTop
tlCenter
tlBottom
StdCtrls
TCustomLabel
TCustomLabellKC
StdCtrls
TLabel
TLabel
StdCtrls'
AlignH
Alignment
Anchors
AutoSize
BiDiModep
CaptionX
Colorp
Constraints
DragCursor$
DragKind
DragMode
EnabledH
FocusControl
ParentBiDiMode
ParentColor
ParentFont
PopupMenu
ShowAccelChar
ShowHint
Transparent
Layout
Visible
WordWrap
OnClickT
OnContextPopup
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag,
OnMouseDown
OnMouseMove,
OnMouseUp
OnMouseEnter
OnMouseLeave
OnStartDockx
OnStartDrag
TDrawItemEvent
Control
TWinControl
Index
Integer
TRect
State
TOwnerDrawState
TMeasureItemEvent
Control
TWinControl
Index
Integer
Height
Integer
TButtonActionLink
TButtonControl
TButtonControl
StdCtrls
TRadioButton
TRadioButton`VC
StdCtrls*
Action
Alignment
Anchors
BiDiModep
Caption
CheckedX
Colorp
Constraints
Ctl3D
DragCursor$
DragKind
DragMode
Enabled
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHintX
TabOrder
TabStop
Visible
WordWrap
OnClickT
OnContextPopup
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnEnter
OnExit
OnKeyDownT
OnKeyPress
OnKeyUp,
OnMouseDown
OnMouseMove,
OnMouseUp
OnStartDockx
OnStartDrag
TListBoxStyle
lbStandard
lbOwnerDrawFixed
lbOwnerDrawVariable
lbVirtual
lbVirtualOwnerDraw
StdCtrls
TLBGetDataEvent
Control
TWinControl
Index
Integer
String
TLBGetDataObjectEvent
Control
TWinControl
Index
Integer
DataObject
TObject
TLBFindDataEvent
Control
TWinControl
FindString
String
Integer<
TCustomListBox
TCustomListBox8_C
StdCtrls
TabStop
TListBoxStrings
TListBoxStrings\aC
StdCtrls
_^[Y]
UhbiC
_^[Y]
CL+D$
CL+D$
GH+D$
UhQmC
_^[Y]
Z:Pit
UhZnC
_^[YY]
BUTTON
UhMsC
_^[Y]
UhltC
_^[YY]
_^[YY]
UhEvC
_^[YY]
_^[YY]
UhPxC
Uh.xC
_^[YY]
QQQQQQSVW
@YZ^[
YZ_^[
(]_^[
!G$_^[
LISTBOX
YZ]_^[
THintAction
THintActionL
StdActns
TWinHelpViewer
_^[YY]
_^[YY]
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
_^[Y]
JumpID("","%s")
_^[YY]
_^[Y]
MS_WINHELP
#32770
TCursor
TAlign
alNone
alTop
alBottom
alLeft
alRight
alClient
alCustom
Controls
TDragObject|
TDragObjectH
Controls
TBaseDragControlObject
TBaseDragControlObject
Controls
TDragControlObject
TDragControlObjectEx
TDragDockObject
TDragDockObject
Controls
TDragDockObjectEx
TControlCanvas
TControlCanvas,
Controls
TControlActionLink
TMouseButton
mbLeft
mbRight
mbMiddle
Controls
TDragMode
dmManual
dmAutomatic
Controls
TDragState
dsDragEnter
dsDragLeave
dsDragMove
Controls
TDragKind
dkDrag
dkDock
Controls
TTabOrder
TCaption
TAnchorKind
akLeft
akTop
akRight
akBottom
Controls
TAnchors
TConstraintSize
TSizeConstraints
TSizeConstraintsH
Controls
MaxHeight
MaxWidth
MinHeight
MinWidth
TMouseEvent
Sender
TObject
Button
TMouseButton
Shift
TShiftState
Integer
Integer
TMouseMoveEvent
Sender
TObject
Shift
TShiftState
Integer
Integer
TKeyEvent
Sender
TObject
Shift
TShiftState
TKeyPressEvent
Sender
TObject
TDragOverEvent
Sender
TObject
Source
TObject
Integer
Integer
State
TDragState
Accept
Boolean
TDragDropEvent
Sender
TObject
Source
TObject
Integer
Integer
TStartDragEvent
Sender
TObject
DragObject
TDragObject
TEndDragEvent
Sender
TObject
Target
TObject
Integer
Integer
TDockDropEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
TDockOverEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
State
TDragState
Accept
Boolean
TUnDockEvent
Sender
TObject
Client
TControl
NewTarget
TWinControl
Allow
Boolean
TStartDockEvent
Sender
TObject
DragObject
TDragDockObject
TGetSiteInfoEvent
Sender
TObject
DockClient
TControl
InfluenceRect
TRect
MousePos
TPoint
CanDock
Boolean
TCanResizeEvent
Sender
TObject
NewWidth
Integer
NewHeight
Integer
Resize
Boolean
TConstrainedResizeEvent
Sender
TObject
MinWidth
Integer
MinHeight
Integer
MaxWidth
Integer
MaxHeight
Integer
TMouseWheelEvent
Sender
TObject
Shift
TShiftState
WheelDelta
Integer
MousePos
TPoint
Handled
Boolean
TMouseWheelUpDownEvent
Sender
TObject
Shift
TShiftState
MousePos
TPoint
Handled
Boolean
TContextPopupEvent
Sender
TObject
MousePos
TPoint
Handled
Boolean
TControl
TControl
Controls
Left<
Width<
Height
Cursor
HelpType
HelpKeyword
HelpContext
TWinControlActionLink
TImeMode
imDisable
imClose
imOpen
imDontCare
imSAlpha
imAlpha
imHira
imSKata
imKata
imChinese
imSHanguel
imHanguel
Controls
TImeName
TBorderWidth
TBevelCut
bvNone
bvLowered
bvRaised
bvSpace
Controls
TBevelEdge
beLeft
beTop
beRight
beBottom
Controls
TBevelEdges
TBevelKind
bkNone
bkTile
bkSoft
bkFlat
Controls
TBevelWidth
IDockManager
Controls
TWinControl
TWinControl
Controls
TGraphicControlh
TGraphicControl
Controls
TCustomControl
TCustomControl
Controls
THintWindow
THintWindow8
Controls
TDragImageList
TDragImageList
Controls
TImageList
TImageList
Controls
BlendColorX
BkColor<
AllocBy
DrawingStyle<
Height4
ImageType
Masked
OnChange
ShareImages<
Width
TDockZone
TDockTree
TMouse
TCustomListControl
TCustomListControl
Controls
TCustomMultiSelectListControl
TCustomMultiSelectListControlD
Controls
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
TSiteList
_^[YY]
tPHt8
_^[Y]
S$_^[]
;B0t'
;B8t=
CQ tA
YZ_^[
YZ]_^[
YZ_^[
t%Jt?Jt[
%s (%s)
Z:Pjt
YZ]_^[
$:Cat
u$;~|u
;CLtX3
Qh_^[
YZ_^[
YZ_^[
V:P\t
GP t;
_^[YY]
CH+D$
CL+D$
;s0t=;
:_Wt+
f;Pxt
KHQRP
Ht7Ht
IsControl
_^[YY]
YZ_^[
_^[YY]
_^[Y]
8]_^[
,]_^[
YZ_^[
^[YY]
Uh$!D
RD;PD
Uhm%D
:_[up
Uh{)D
Uh}*D
Uhs+D
SVWUQ
Z]_^[
C$PVj
C$_^[
Uhi2D
:GauOFKu
_^[Y]
DesignSize
Uh15D
_^[YY]
_^[Y]
t2HtY
]_^[
UhSID
_^[Y]
_^[Y]
$Z_^[
_^[YY]
UhtMD
_^[Y]
UhFND
^[YY]
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
_^[YY]
;XDt#
SVWUQ
Z]_^[
t&j7j
YZ]_^[
YZ]_^[
YZ]_^[
t4VS
R|FOu
YZ]_^[
^[YY]
S8_^[]
UhjkD
+CH+E
+SL+U
UhgmD
UhotD
UhLtD
UhUvD
Uh[wD
UhAyD
_^[Y]
Uh|{D
f;Pht
_^[Y]
t9;wlt4
YZ_^[
;Bdt*
;Bh|3
R|_^[
^dVhp
^dVhp
_^[Y]
Y_^[]
Y[YY]
t$;C8u
QQQQSVW
;Fdu;
^[YY]
Q8FKu
;Xdt>
t#;^dt
YZ_^[
Y_^[]
^[YY]
+W$;U
+G$;E
_^[Y]
BP_^[]
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
YZ_^[
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
TContainedAction
TContainedAction8
ActnList
Category
TCustomActionList
TCustomActionList\
ActnList
TShortCutList
TShortCutList8
ActnList
TCustomAction
TCustomActionT
ActnList
TActionLinkSV
^[YY]
u*;~8u
R0GNu
SVWUQ
Z]_^[
QLGNu
R0Z_^[
QPFOu
_^[Y]
$:Cjt_
QTGNu
R0Z_^[
Q`FOu
R0]_^[
$;Ctt?
Q\GNu
R0Z_^[
QhGNu
R0Z_^[
QlGNu
R0Z_^[
SVWQf
QpGNu
R0Z_^[
QtFOu
R0]_^[
SVWUQ
$Z]_^[
TChangeLink
TDrawingStyle
dsFocus
dsSelected
dsNormal
dsTransparent
ImgList
TImageType
itImage
itMask
ImgListl
TImageIndex
TCustomImageList
TCustomImageList
ImgList
;V4t8
;V0t8
Rd_^[
s8VV3
S0_^[]
R ;C0|
R,;C4}!
S`]_^[
Bitmap
_^[Y]
comctl32.dll
comctl32.dll
ImageList_WriteEx
EMenuError
TMenuBreak
mbNone
mbBreak
mbBarBreak
Menus
TMenuChangeEvent
Sender
TObject
Source
TMenuItem
Rebuild
Boolean
TMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
Selected
Boolean
TAdvancedMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
State
TOwnerDrawState
TMenuMeasureItemEvent
Sender
TObject
ACanvas
TCanvas
Width
Integer
Height
Integer
TMenuItemAutoFlag
maAutomatic
maManual
maParent
Menus
TMenuAutoFlag
Menus
TMenuActionLink
TMenuItem
TMenuItem
Menus
Action
AutoCheck`
AutoHotkeys`
AutoLineReduction
Bitmapt
Break
Caption
Checked0
SubMenuImages
Default
EnabledT
GroupIndex
HelpContext
Hinth
ImageIndex
RadioItem
ShortCut
Visible
OnClick
OnDrawItemx
OnAdvancedDrawItem
OnMeasureItem
TMenu
TMenu
Menus
Items
TMainMenu
TMainMenu
Menus
AutoHotkeys
AutoLineReduction
AutoMerge
BiDiMode0
Images
OwnerDraw
ParentBiDiMode
OnChange
TPopupAlignment
paLeft
paRight
paCenter
Menus
TTrackButton
tbRightButton
tbLeftButton
Menus$
TMenuAnimations
maLeftToRight
maRightToLeft
maTopToBottom
maBottomToTop
maNone
Menus
TMenuAnimation
TPopupMenu
TPopupMenu
Menus
Alignment
AutoHotkeys
AutoLineReduction
AutoPopup
BiDiMode
HelpContext0
Images
MenuAnimation
OwnerDraw
ParentBiDiMode
TrackButton
OnChange
OnPopup
TPopupList
TMenuItemStack
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
_^[YY]
f;B`t
CPPVj
Q<]_^[
SVWUQ
:X?s&
X?ENu
Z]_^[
ShortCutText
_^[Y]
_^[Y]
P?:S?u
:^8tB
:^9tg
Q<_^[
:^?t1
f;P`t
:]:tJ
Q<]_^[
@?:F?v
Q<]_^[
Q<_^[
W<CNu
Uhh)E
SpFOu
$YZ]_^[
_^[Y]
_^[Y]
SVWUQ
Z]_^[
Uhi0E
_^[YY]
Uhk1E
S0^[]
_^[Y]
_^[Y]
Ih;J4u
_^[Y]
UhU?E
Uh0?E
Sh`:E
YZ]_^[
S0_^[
S<&uO
^[YY]
TScrollBarInc
TScrollBarStyle
ssRegular
ssFlat
ssHotTrack
Forms
TControlScrollBar
TControlScrollBar
Forms
ButtonSizeX
ColorXFE
Incrementh
Margin
ParentColor<
Position<
Range
Smooth<
SizetFE
Style<
ThumbSize
Tracking
Visible
TWindowState
wsNormal
wsMinimized
wsMaximized
Forms
TScrollingWinControl
TScrollingWinControl
Forms
HorzScrollBar$GE
VertScrollBar0KE
TFormBorderStyle
bsNone
bsSingle
bsSizeable
bsDialog
bsToolWindow
bsSizeToolWin
Forms
TBorderStyle
Forms
IDesignerHookh%A
Forms
IOleForm
Forms
TFormStyle
fsNormal
fsMDIChild
fsMDIForm
fsStayOnTop
Forms
TBorderIcon
biSystemMenu
biMinimize
biMaximize
biHelp
Forms
TBorderIcons
TPosition
poDesigned
poDefault
poDefaultPosOnly
poDefaultSizeOnly
poScreenCenter
poDesktopCenter
poMainFormCenter
poOwnerFormCenter
FormsxME
TDefaultMonitor
dmDesktop
dmPrimary
dmMainForm
dmActiveForm
Forms
TPrintScale
poNone
poProportional
poPrintToFit
Forms
TCloseAction
caNone
caHide
caFree
caMinimize
Forms
TCloseEvent
Sender
TObject
Action
TCloseAction
TCloseQueryEvent
Sender
TObject
CanClose
Boolean
TShortCutEvent
TWMKey
Handled
Boolean
THelpEvent
Command
Integer
CallHelp
Boolean
Boolean
TCustomForm
TCustomForm
Forms
TForm
TForm
FormsU
ActionH
ActiveControl
Align
AlphaBlendT
AlphaBlendValue
Anchors
AutoScroll
AutoSize
BiDiMode
BorderIcons,KE
BorderWidthp
Caption<
ClientHeight<
ClientWidthX
Color
TransparentColorX
TransparentColorValuep
Constraints
Ctl3D
UseDockManagertME
DefaultMonitor
DockSite$
DragKind
DragMode
Enabled
ParentFont
Font LE
FormStyle<
Height
HelpFile$GE
HorzScrollBar
KeyPreviewT
OldCreateOrder
ObjectMenuItem
ParentBiDiMode<
PopupMenu
Position
PrintScale
Scaled
ScreenSnap
ShowHint<
SnapBuffer$GE
VertScrollBar
Visible<
Width
WindowState
WindowMenu
OnActivateX
OnCanResize
OnClickXNE
OnClose
OnCloseQuery
OnConstrainedResizeT
OnContextPopup
OnCreate
OnDblClick
OnDestroy
OnDeactivate
OnDockDrop
OnDockOver
OnDragDrop
OnDragOver
OnEndDock
OnGetSiteInfo
OnHide
OnHelp
OnKeyDownT
OnKeyPress
OnKeyUp,
OnMouseDown
OnMouseMove,
OnMouseUpX
OnMouseWheel
OnMouseWheelDown
OnMouseWheelUp
OnPaint
OnResize
OnShortCut
OnShow
OnStartDock
OnUnDock
TCustomDockForm
TCustomDockFormh`E
Forms
PixelsPerInch
TMonitor
TScreen
TScreen
Forms
TApplication
TApplicationpcE
Forms
Uh\eE
t:GNu
^[YY]
UhMiE
;S$t6
;S0t6
Uh,wE
]_^[
UhV{E
Uht~E
UhT~E
_^[Y]
_^[Y]
PixelsPerInch
TextHeight
IgnoreFontProperty
_^[YY]
S,_^[]
SVWUQ
$Z]_^[
;Cpu'
F(Z_^[
MDICLIENT
_^[Y]
_^[Y]
;ADti
f#CTf
_^[Y]
_^[YY]
t"GNu
$Z_^[
_^[YY]
_^[Y]
Y_^[]
_^[Y]
_^[Y]
_^[YY]
Ch;Ctt
Cd;Cpt
C\_^[
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
f;sDtsf
PWj W
CHYZ]_^[
RD;PD
_^[YY]
TApplication
MAINICON
XD;PHu
sx;P`u
;B0uGj
_^[YY]
vcltest3.dll
RegisterAutomation
SVWUQ
$Z]_^[
~D_^[Y]
_^[Y]
_^[Y]
_^[Y]
;{HtK
YZ_^[
Y_^[Y]
;^`u0
]_^[
^[YY]
YZ]_^[
User32.dll
SetLayeredWindowAttributes
TaskbarCreated
TCheckListBox
TCheckListBox
OnClickCheck
Align
AllowGrayed
Anchors
AutoComplete
BevelEdges\
BevelInner\
BevelOuter
BevelKindD
BevelWidth
BiDiMode
BorderStyleX
Color<
Columnsp
Constraints
Ctl3D
DragCursor$
DragKind
DragMode
Enabled
FontX
HeaderColorX
HeaderBackgroundColor
ImeMode0
ImeName
IntegralHeight<
ItemHeight
Items
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHint
Sorted`]C
StyleX
TabOrder
TabStop<
TabWidth
Visible
OnClickT
OnContextPopup
OnData
OnDataFind0^C
OnDataObject
OnDblClick
OnDragDrop
OnDragOver
OnDrawItem
OnEndDock
OnEndDrag
OnEnter
OnExit
OnKeyDownT
OnKeyPress
OnKeyUphSC
OnMeasureItem,
OnMouseDown
OnMouseMove,
OnMouseUp
OnStartDockx
OnStartDrag
TCheckListBoxDataWrapper
SVWUQ
Z]_^[
Panel1
RadioGroup1
Label1
PopupMenu1
CoolBar1
Splitter1
CheckListBox1
SavePictureDialog1
TForm1
TForm1
Unit1
FileTimeToSystemTime
kernel32
UhM%F
ELF.EX
Uh;&F
Error
Runtime error at 00000000
0123456789ABCDEF
MS Sans Serif
h3QgjW
Oh87>
OSVWj?_jr
joZj,f
Xj.^%ef
_j#Zf
jiZj!f
W%sXja)
f9K"@
PWWjoWWWW
4j"Xjs
Y%dXjr)
joX%pf
jaX%vf
PSSjUS
PVVjoVVV
HhhAh[S
t*SSV
hhAh[S
OhIH8YSV
Oj:Xj
hX7xkW
u<erf
h'A'[W
jmXj%f
V%\Xjd)
Xjs^)
%vXjm)
X%oZju)
X%.Yjy)
VMKV)
j"Y%%
Oj0Yd
j+Xjwf
js^j8
OjoXj?f
j\X%nf
PVVjoVVV
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
lstrcpyA
WriteFile
WaitForSingleObjectEx
WaitForSingleObject
VirtualQuery
VirtualAlloc
Sleep
SizeofResource
SetThreadLocale
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
ReadFile
MulDiv
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetSystemTimeAsFileTime
GetSystemTime
GetSystemInfo
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
EnumCalendarInfoA
EnterCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWinMetaFileBits
SetViewportOrgEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SelectClipRgn
SaveDC
RestoreDC
Rectangle
RectVisible
RealizePalette
Polyline
PlayEnhMetaFile
PathToRegion
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipRgn
GetClipBox
GetBrushOrgEx
GetBitmapBits
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreateRectRgn
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
UpdateWindow
UnregisterClassA
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetForegroundWindow
SetFocus
SetCursor
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OffsetRect
OemToCharA
MessageBoxA
MapWindowPoints
MapVirtualKeyA
LockWindowUpdate
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessagePos
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDlgItem
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
EqualRect
EnumWindows
EnumThreadWindows
EndPaint
EndDeferWindowPos
EnableWindow
EnableScrollBar
EnableMenuItem
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawFocusRect
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DeferWindowPos
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
BeginDeferWindowPos
CharNextA
CharLowerBuffA
CharLowerA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Replace
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
InitCommonControls
comdlg32.dll
GetSaveFileNameA
GetOpenFileNameA
0(0<0T0h0|0
1e1i1m1
2&2.262>2F2N2V2^2f2n2v2~2
323:3B3J3R3Z3b3j3s3
6_6r6
6,7m7
:!:+:5:?:U:[:i:|:
;';.;8;B;L;X;c;t;z;
<&<f<|<
=3>@>s>y>
>P?X?
0r0x0
1'1/1b1
2%2.2L2R2Z2
363Z3b3h3n3
4e4p4y4
5$5+555
6#6/676
7$7=7
8F:N:
>$>5>A>
1#1:1O1
606>6R6
7<7E7w7
9=9D9d9
:K;s;z;
;'<<<
>)>3>;>A>O>j>
>R?[?
0Y2w2
5i5z5
<+<2<6<<<@<F<M<Q<k<t<}<
=2=\=j=o=
>*>w>
>X?n?v?~?
0&0.060>0F0N0V0^0f0n0v0~0
1&1.161>1F1N1V1^1f1n1v1~1
2&2.262>2F2N2V2^2f2n2v2~2
3&3.363>3F3N3V3^3f3n3v3~3
4&4.464>4F4N4V4^4f4n4v4~4
5&5.565>5F5N5V5^5f5n5v5~5
6&6.666>6F6N6V6^6f6n6v6~6
7&7.767>7F7N7V7^7f7n7v7~7
8&8.868>8F8N8V8^8f8n8v8~8
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?0?4?8?<[email protected]?D?H?L?Z?l?
0$0D0L0P0T0X0\0`0d0h0l0|0
141T1\1`1d1h1l1p1t1x1|1
2 2$2(2,2<2\2d2h2l2p2t2x2|2
3 3$3(3,3034383H3h3p3t3x3|3
4 4$4(4,4044484<[email protected]|4
6<6D6H6L6P6T6X6\6`6d6x6
7,7L7T7X7\7`7d7h7l7p7t7
8 8$8(8,808D8d8l8p8t8x8|8
9 9-959P9p9x9|9
: :,:0:L:T:X:\:`:d:h:l:p:t:
;;;C;P;U;[;
10A0L0Y0^0h0x0
111=1T1`1
1Q2^2w2
8=:A:E:I:M:Q:U:Y:]:a:e:i:m:q:u:y:}:
:M;T;
>%>->
)0f1{1
5+555
8K92:h:
<\=c=
>=?d?x?
2,2_2s2
3h4y5
8;8j8
979~9
:-:E:q:
<2=n>
?+?]?
0>0R0
2.2G2b2
5$5-5
797G7N7f7m7
8-8X8g8{8
;&<-<7<=<D<N<S<Y<^<d<i<o<v<|<
=D=M=V=\=m=x=}=
>A>d>
?&?D?
011a1u1
2 4g4
505E5P5U5Z5g5}5
6&686
7#767?7Z7m7v7
878Y8h8v8
:8:?:N:U:s:
.0?0b0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2(2,[email protected]\2d2h2p2t2|2
3$3(30343<[email protected]`3d3s3
4'414<4F4Q4[4f4p4z4
5$5)5O5n5v5~5
5 6-6V6
7.7d7q7
8B8\8
9?9q9
9!:/:4:?:E:J:U:[:`:k:q:v:
;!;&;1;7;<;G;M;R;];c;h;s;y;~;
</=;=H=Z=
> >$>(>,>0>4>8><>T>l>p>
? ?$?(?,?0?L?l?t?x?|?
1 1$1D1d1l1p1t1x1|1
3 3$3I3W3f3}3
494G4V4m4
5)575F5]5
6 6A6P6g6v6
7"717B7t7
8.8E8
$0A0y0
0,1a1}1
4!4%4)4-4145494=4A4E4I4M4Q4U4Y4]4a4e496
7)7]7v7
768S8
9$9-;1;5;9;=;A;E;I;M;Q;U;Y;];a;e;i;m;q;u;y;};
0^1u1
2-2B2G2T2t2
5*5K5a5y5~5
5B6G6a6
7%7*7/74797?7D7I7O7V7\7c7i7p7v7}7
8$8,848<8D8L8T8\8d8l8t8|8
9><g<
>d>h>l>p>t>x>
1#101B1H1a1
1,2=2
3)303P3X3\3`3d3h3l3p3t3x3
4 4$4(4,40444H4h4p4t4x4|4
5 5$5(5,5054585<[email protected]|5
6$6,6064686<[email protected]`6
8(8H8P8T8X8\8`8d8h8l8p8
9 9$9(9,90949D9d9l9p9t9x9|9
:!:Y:]:a:y:
;';+;<;L;X;\;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<r<
= =(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
>%>0>@>P>X>\>`>d>h>l>p>t>x>|>
? ?1?5?H?h?p?t?x?|?
000P0X0\0`0d0h0l0p0t0x0|0
1 [email protected]\1`1d1h1l1p1t1x1|1
3(3,3H3P3T3X3\3`3d3h3l3p3t3x3|3
4,44484<[email protected]\4`4d4p4|4
5 5(5,5054585<[email protected]}5
6:6H6L6T6X6d6h6p6t6x6|6
7 7$7(7,70747D7T7X7h7
8(888D8H8P8T8X8\8`8d8h8l8p8t8x8|8
:$:,:0:4:8:<:@:D:H:L:^;m;|;
1W2g2t2
3.4I4X4o4
5*5<5R5W5s5
6*6<6A6`6m6x6
6T7`7
9?9d9t9
;I;V;j;q;
=1=C=
1'1j1
3/464M4
6:6J6
9P:}:
<T>j>
0%0w0
0,1R1{1
1A2^2
666L6
6C7`7
7&8K8s8
9*:G:|:
;G<}<
1A2H2
2l3s3
5/5O5
7m7t7
<$<,<0<4<8<<<@<D<H<L<P<^<f<|<
=&>n>
>b?o?z?
282I2g2n2
555Q5
8J8{8
=/>Q>
>%?;?v?
%0{0a1
2?2M2[2i2
5?6C6f6j6
898}8
9 9$9(9,9
<)=<=
3#3'3+3/33373;3?3C3>4d4
4&5`5
8 8N8k8
9"9&9*9.92969:9>9B9F9J9N9R9V9
=%=N=j=q=
>'>f>k>
O0<1G1s2y2
3f4m4
;!<P<
?-?s?
00050>0D0Y0g0m0x0
2!2+282H2P2X2`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
646M6x6
7$7t7
708J8
91959H9]9
: :::B:Z:^:b:{:
;$;(;,;0;4;8;<;@;D;H;L;P;\;f;j;{;
<$<(<,<0<4<8<<<@<D<H<L<P<\<h<l<}<
= =,=9===N=V=n=
? ?,?8?<?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
:0>0B0F0J0b0p0t0|0
1<1D1H1L1P1T1X1\1`1d1h1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3,3<3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4$4,4044484<[email protected]`4p4
5#5'5>5L5l5t5x5|5
7(8^8
9*9:9p9z9
#030N0
1'1W1
3.434S43686s6
8S8X8
9;9f9
9.:>:P:n:
< <-<A<N<b<t<~<
0,1s1
2%242C2
324R4r4
7-8j8
<;<P<s<
?:?X?
8U9r9
9/:A:^:
;S;i;r;
<*=g=
>P?x?
3#4D4S4m4
4^5{5
696W6
???]?
4'4]4
5$5(5,5054585<[email protected]\5p5
6'6,6T6c6
>L>T?
0:0d0
4'444
4#5/5
5i6E7j7
<O=c=
>C>P>|>
>1???
0G1b1
>P?`?
1<1k1x1
2%2+2D2d2l2p2t2x2|2
5P5i5
6'626D6V6g6q6
8 8(8,8084888<[email protected]
:+:8:J:R:Z:b:l:r:z:
;2;:;B;J;R;Z;b;j;r;z;
<*<2<8<D<J<c<
<f=n=t=
>)?1?7?C?K?
0[0f0
0/1:1Z1
373C3P3b3w3
4+4P4i4
5$5,5054585<[email protected]
5_6c6g6k6o6s6w6{6
7 7.767L7T7\7d7
9Q9f9
> ?d?
0 0y0
1$1r1
4!4:4U4b4{4
7.7<7\7d7h7l7p7t7x7|7
9%[email protected]\9c9j9q9x9
: :':.:5:<:C:J:Q:X:_:f:m:t:{:
;*;/;<;A;N;S;`;e;r;w;
<&<+<8<=<J<O<\<a<n<s<
="='=4=9=F=K=X=]=j=o=|=
>#>0>D>I>
232?2G2U2]2o2
3+303I3p3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
6 6/6
7'7s7
8.8;8G8T8f8s8
:(:,:0:4:8:L:_:c:s:
= =\=`=d=p=t=
>2>6>:>>>B>T>e>i>y>
?-?O?s?
040l0z0
0.161H1Z1j1
4 4/4?4
7$7`7
9&909<9
<D=x=P>Z>_>i>p>
? ?(?,[email protected]?D?L?P?X?\?d?h?p?t?|?
0*0/0<0L0X0\0d0h0l0p0t0x0|0
1"2E2h2t2
3&3.3M3U3Y3p3x3
3%4J4o4
5(5L5q5
6 6$6(6,[email protected]\6m6u6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
8(8:8>8P8`8p8x8|8
9 9$9(9,9094989<[email protected]\9`9d9p9|9
:":?:G:d:l:
;";&;:;B;`;h;l;
<7<C<Y<
=9=A=_=g=
>9>A>E>[>
?D?i?
0>0f0
1E1h1x1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4!424:4R4Z4^4t4
616Z6^6
7'7C7K7O7f7j7n7
8=8b8
9<9X9
:$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;0;8;P;s;{;
<&<D<j<r<v<
<a>k>
2G3T3
5X5g5~5
7n7;8
<o<~<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
<O<u<
0$0,040<0D0L0T0\0d0l0t0|0
1$1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3/3;3H3Z3g3s3z3
4&4,4H4
5 5$5(5,5054585<[email protected]\5`5d5h5
6 6$6(6,6064686<[email protected]\6
7<7D7H7^7j7
8/878N8V8Z8m8q8u8
9 9A9j9r9
:':=:b:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;p;
< <$<(<,<0<4<m<
>(?0?>?J?
1!131C1]2j2y2
<0=K=m=
;';:;B;L;`;l;p;|;
<0<H<L<\<h<
=([email protected]=D=T=d=p=t=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>p>
?_?v?
0]0o0
2?3h3
4F4q4
6$6e6o6{6
9+979D9V9{9
:&:G:S:[:c:n:
;";(;H;P;T;X;\;`;d;h;l;p;t;x;
<&<4<8<H<W<[<l<t<x<
=?=G=c=k=
>&>E>M>d>h>l>
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1"101>1B1S1W1[1s1{1
2)212O2W2[2o2w2
2 3C3K3i3q3
4$4(4;4C4\4d4
636X6}6
777]7
8Q9e9p9J:k:
?5?<?U?i?{?
$0B0Q0`0o0
374i4
5+5h5
7Y8g8
= =2=B=H=h=p=t=x=|=
=r?|?
2"4)4
5"5&5*5
8+979>9H9Z9j9p9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
: ;0;<;@;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<<<N<R<d<t<
= =$=(=,=0=4=8=<[email protected]=L=X=\=m=u=
>!>%>;>C>G>[>c>
?5?=?A?T?}?
0=0E0I0`0d0h0
171\1
2:2^2
2V3Z3b3h3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$60646<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7:7>7B7F7X7j7n7
8+878M8U8Y8m8u8
:":*:F:N:R:i:m:q:
;>;c;
<8<\<
=9=`=|=
=!>%>)>0>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
0 0$0(0,00040B0n0r0v0z0~0
1 10181<[email protected]\1`1d1h1l1p1t1x1|1
8a8U9
=+>H>
0X1{1]2{2
6!686q6
7H7!8>8
:#:-:h:
535B5V5^5
6;7W:7;g<
=,>V?
0#0:0
1 1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
172C2P2b2h2
3 3$3(3,3034383<[email protected]
3(4b4m4x4
5/5;5T5z5
8J8R8p8~8
:1:b:
=$>\>
?3???I?S?X?g?y?
0$0(0,0004080<[email protected]\0`0d0h0x0
101L1P1d1
2 2$2(2,2024282<[email protected]\2`2d2
3-313D3d3l3p3t3x3|3
4 4$4(4,4044484<[email protected]
5 5$5(5,5054585<[email protected]\5w5
5$6<6X6p6
7$7(7,7074787<[email protected]
9G9K9O9T9
:e:i:m:q:x:
;q;u;y;};
<p<t<x<|<
<B=F=R=X=
=B>F>J>N>R>X>
>D?H?P?T?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
0:1>1B1F1J1N1R1V1Z1^1b1f1j1n1r1v1z1~1
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2p2~2
323>3Q3t3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
6D6`6r6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
9"9&9*9.92969:9>9B9F9J9N9R9V9Z9^9b9f9j9n9r9v9z9~9
:":&:*:.:2:6:H:Y:]:p:
; ;$;(;,;0;4;8;<;@;D;H;P;d;y;};
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
>">&>*>.>@>Q>U>h>x>
? ?4?D?T?\?`?d?h?l?p?t?x?|?
0"0<0^0f0
141<1T1t1|1
1H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3$3D3L3P3T3X3\3`3d3h3l3x3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686\6
;<;D;H;L;P;T;X;\;`;d;h;l;p;t;
>A>P>
243n3
4e5w5
7P7]7f7o7
7"8*878>8L8W8]8v8
9(989I9V9x9
:#:>:J:R:d:
;+;0;:;@;H;
< <%<1<;<A<I<j<r<
=(=^=
>">8>@>N>`>p>y>
?3?>?G?U?h?
0$0+01090O0Z0o0y0
1#1)171=1K1V1j1{1
373G3~3
304?4~4
4n5V6
7 7d7
8K8N9l9
94:>:R:W:c:w:
=W=;>{?
4K5;6A6d6j6
7?7y7
9/<S<b<
?N?f?~?
0P0Y0z0
4.5;5J5!717
0 1H1p1`3k3y3
=>>S>e>
1w1{1
455a5
7T8d8
889f9
041F1|1
4M4V4d4
8b8l8
:3<;<N<
9F9l9w9
<3=g=
1s2Q3e3|4
315A5
9t9z9%;
474\4
555v5
;#;n;
0\0M2T2
6-6_6
5,8>8O8g8
9U:s:\;
2 4g5
9_9i9s9}9
;5;A;I;U;`;f;r;|;
<!<&<1<6<;<F<K<P<[<h<z=
>#>4>E>[>c>r>|>
???L?V?g?p?
0%03080=0G0W0b0o0
1(121<1N1c1o1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3,30383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5$5(5054585<[email protected]\5`5d5h5l5p5t5x5|5
60686<[email protected]\6`6d6h6l6p6t6x6|6
6g708j8
9.9B9
;L<`<t<
3+474D4V4_4d4o4t4
445M5h5
606F6J6
7,8H8
;,;V;
<N<^<
?4?O?^?
3$343]3m324O4l4
4r5'6Q6`6w6
8+8V8s8
8&9w9
:`:u;
</<X<h<
=H=e=
==>E>O>U>`>p>{>
0<0D0H0L0P0T0X0\0`0d0t0
1g1k1s1x1
1N2R2V2Z2`2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484F4N4f4j4n4r4v4z4~4
5 5D5H5L5e5m5
656=6Z6f6
7-797O7t7
8 8$8(8,8084888<[email protected]^8n8r8v8
9 9$9(9,9094989<[email protected]}9
:/:7:S:[:|:
: ;>;
< <$<(<,<0<@<P<T<b<
=#='=E=M=f=
>$>H>h>p>t>x>|>
545g5
5/6l6
97:H:
;&;2;
?9?D?
0i0C1
3%4/494L4V4i4s4
7i7C8
8A9e9R:
3)4T4Y4a4f4{4
475i5
6v6Z7
8C9x9
1-1:1\1a1
9=9I9]9i9n:
<Z=j=
111M1w1
3"4u4
5 5$5(5,5054585<[email protected]\5g5s5z5
6$6.656?6F6P6X6t6
7$7;7?7M7U7r7z7
9'9T9d9p9t9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:
;,;K;
; <9<p<
>+>X>
?d?i?m?q?x?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
0V1Z1^1b1f1j1n1r1v1z1~1
2"2&2*2.22262:2>2B2F2X2i2m2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4*424J4R4o4w4
5&5.525L5T5X5r5z5
6'6/6R6Z6
7"7=7`7
8.8Q8Y8]8y8
9.9W9[9_9
:1:9:=:T:y:
;.;:;S;_;y;
<;<G<^<j<
=$===I=b=
> >9>E>[>g>
?F?R?h?t?
0,080<0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]|1
2 2$2(2,2024282<2L2X2\2l2t2x2|2
3$30343D3L3P3T3X3\3`3d3h3l3p3t3x3|3
5 5.5;5K5b5~5
6 6(616A6H6O6V6g6o6u6
7)7?7n7
536C6
;H;k;
<:=E=T=y=
>C>H>d>
>)?=?Q?r?y?
0T0g0
0(1q1v1
132b2
203V3
4U4i4
6>6I6V6\6g6t6
=<>L>i>
>F?S?c?}?
3A4_4
6<6R6~6
6<7F7.9=9T9h9
:z;v<
=!===`=
=+>=>[>n>
? ?7?O?a?
1/1Y1
2Z3|3
405n5}5
5T6z6
7"797\7?8
:":_:
1&1:2F2
5E8h8w8
889T9p9
:U:n:
<#<H<d<
>K>[>y>!?+?
0,1l1{1
2.2D2q2{2
3&343F3]3g3v3
6O8l8
<e=Q>
?(?U?_?j?|?
2,2s2
2Q3k3
4_5r5z5
<,=7=B=\=a=
>)>9>F>L>a>g>t>
G0Y0^0
595%6
7#7d7
<4=\>|>
465p5{5
?;?X?n?
002V2
2$3G3
8 8c8
869F9Q9
:&:5:?:D:`:p:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
<,<S<[<s<
=,=4=Q=Y=u=}=
>%>->K>S>W>k>
?#?6?>?\?d?
0&0>0g0o0
1%1-111H1P1i1q1
252^2
3:3_3
434U4}4
5<5\5d5h5l5p5t5x5|5
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
4/5;5H5a5m5w5
5#666H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
8 8(838=8J8O8W8a8
2X2`2h2p2x2
[email protected]\3`3d3h3l3p3t3x3|3
4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6
:`:d:h:l:p:t:x:|:
:L;\;d;l;t;|;
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>
TTTTTT
H8QDQ
TTTTTT!
TTTTTT
TTTTTT
}TTTTTT
5T P3S
TTTTTT
TTTTTT-.g
nTTTTTT
UTTTTTTa
JTTTTTT
8zETTTTTT
cEzQm
TTTTTT
}/TTTTTT
w#5q]A
RTTTTTTf?
TTTTTT
;~kG(
TTTTTT=
TTTTTTN
TTTTTTe(GQ0
TTTTTT
+8q)"
STTTTTT=
TTTTTT|
pi\TTTTTT}e
TTTTTT1#TnP
TTTTTTz"
TTTTTT[
|rz}`b
TTTTTT
~Kmjt
TTTTTTw{
O>84JV
#\"<>
aTTTTTT=
NTs{8
TTTTTT
sP'~o
TTTTTT
TTTTTT2
TTTTTT
VTTTTTT
E"TTTTTT
TTTTTT
TTTTTT
eTTTTTT
TTTTTT
TTTTTT
7TTTTTTf
*TyTTTTTT
nSboR
\]?TTTTTT
QztMK
KTTTTTT
FDcffCc\>
TTTTTT
+TTTTTT
TTTTTT
lp\TTTTTT
TTTTTTI
TTTTTThd)
p??pK
dTTTTTT
#TTTTTT
IYqTTTTTTT
9TTTTTT
uTTTTTT
TTTTTT
*dH&2G
TTTTTT4
@mTTTTTTp
TTTTTT
TTTTTT
pTTTTTT5Q
TTTTTT
TTTTTT
ZTTTTTTl
TTTTTT
$D'^TTTTTT
iTTTTTT
(r~?0dv
zyTTTTTT
D47$'
TTTTTT;
qTTTTTTQ
:TTTTTTzi
TTTTTT
TTTTTT)
TTTTTTNw
TTTTTT/
TTTTTT7f*N
BCl{ugTTTTTT
WH\$hu
TTTTTT
^5iD"
TTTTTT
ATTTTTT"*0
>TTTTTT
TTTTTT
TTTTTT
)TTTTTT
b_V>*
TTTTTT %
->TTTTTT[1
2TTTTTT
C4Sw#
TTTTTT
G68DO
TTTTTTT
TTTTTT8
~TTTTTT
TTTTTT
o5pFg
14Aa-
TTTTTT
TTTTTTrV
$TY81x[
TTTTTT8
TTTTTTji
TTTTTT8+
{aTTTTTTE
4TTTTTT
TTTTTTM
c'/%t
TTTTTT
TTTTTT
TTTTTT
r1|coT
pTTTTTT
TTTTTTJ
TTTTTT
S~Qr_
^9Vhts
H%`zy9M1k}
TTTTTT
{TTTTTT0
HTTTTTT
g+FP{
TTTTTTX`
TTTTTTI
TTTTTT
~TTTTTT
y#O-#
TTTTTT8
LcFNa
txn-q
TTTTTT
jW`CM
_iTTTTTT
}`TTTTTT
|.&0TTTTTTw
zGS;T
kuTTTTTT
TTTTTT
TTTTTT
3TTTTTT
PgvM*
&{5TTTTTT}X/
(X<B[V
%b{Gz[
TTTTTT!
TTTTTT
TTTTTT+
)TTTTTT
TTTTTT
MYM6Q
TTTTTTA+ 5
TTTTTTpi
TTTTTT
TTTTTT
TTTTTT
(vTTTTTT+
451TTTTTT
WNRMjp
x\"Jd
TTTTTT
UTTTTTTC
<DjFTy
TTTTTT
9t/.O
TTTTTT
TTTTTTKa
@TTTTTT$
TTTTTTQL
@TTTTTT
TTTTTTc
TTTTTT
:[la)
TTTTTTl=
TTTTTT
TTTTTT
TTTTTT
TTTTTT'
+TTTTTT
9hSTTTTTT
TTTTTT
TTTTTT$~
)y2iI
TTTTTTJ8
4Q;zr
6XF./
TTTTTT<
gfxoN
TTTTTT
'nTTTTTTM
//;Qp
TTTTTT
TTTTTT$l
*TTTTTT
TTTTTT
+sjTTTTTTZ
TTTTTTAZ
TTTTTT
TTTTTTp3
-TTTTTT
ADv,!
TTTTTT
qTTTTTTC
^BTTTTTTLd~
TTTTTT
uTTTTTT
3'% A6
TTTTTT
7[<j00
L!dTTTTTT<
tTTTTTTG
TTTTTTX?
`crMv
TTTTTT
Hm-!)
TTTTTT5]C
1TTTTTT
=TTTTTT
TTTTTT
TTTTTT
TTTTTT>y
TTTTTT{Q
TTTTTT
Nw1TTTTTTTW41
TTTTTT
TTTTTT,K
NTWh8
TTTTTTD
TTTTTT
KTTTTTT
TTTTTT/
TTTTTTJ
TTTTTT
TTTTTT2
oOxdh_x
TTTTTT
TTTTTT
a3eTTTTTT,5[[