Detections

Yara:

AgentTeslaV2

Auto Tasks

#17816: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:44:57 2020-06-30 13:50:41 344 seconds Show Options Show Log
procdump = yes
2020-05-13 09:07:46,165 [root] INFO: Date set to: 20200630T13:35:58, timeout set to: 200
2020-06-30 13:35:58,062 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-30 13:35:58,062 [root] DEBUG: Storing results at: C:\entncKzthf
2020-06-30 13:35:58,062 [root] DEBUG: Pipe server name: \\.\PIPE\lnakIMJ
2020-06-30 13:35:58,062 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:35:58,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:35:58,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:35:58,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:35:58,140 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:35:58,140 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:35:58,140 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:35:58,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:35:58,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:35:58,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:35:58,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:35:58,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:35:58,249 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:35:58,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:35:58,249 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:35:58,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:35:58,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:35:58,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:35:58,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:35:58,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:35:58,265 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:35:58,265 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:35:58,265 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:35:58,265 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:35:58,281 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:35:58,281 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:35:58,281 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:35:58,281 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:35:58,656 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:35:58,656 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:35:58,671 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:35:58,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:35:58,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:35:58,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:35:58,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:35:58,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:35:58,687 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:35:58,687 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:35:58,687 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:35:58,687 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:35:58,687 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:35:58,703 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:35:58,703 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:35:58,703 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:35:58,703 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:35:58,703 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:35:58,703 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:35:58,703 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:35:58,921 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:35:58,921 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:35:58,921 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:35:58,921 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:35:58,921 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:35:58,937 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:35:58,953 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:35:58,953 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:35:58,953 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:35:58,953 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:35:58,968 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:35:58,968 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:35:58,968 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:35:58,968 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:35:59,031 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:35:59,031 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:35:59,031 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:35:59,031 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:35:59,031 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:35:59,031 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:35:59,046 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:35:59,046 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:35:59,109 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:35:59,109 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:35:59,109 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:35:59,109 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:35:59,109 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:35:59,109 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:35:59,109 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:35:59,109 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:35:59,109 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:35:59,343 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe" with arguments "" with pid 5376
2020-06-30 13:35:59,343 [lib.api.process] INFO: Monitor config for process 5376: C:\tmpnwhtwc92\dll\5376.ini
2020-06-30 13:35:59,359 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:35:59,359 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:35:59,406 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:35:59,406 [root] DEBUG: Loader: Injecting process 5376 (thread 5776) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:35:59,406 [root] DEBUG: Process image base: 0x01140000
2020-06-30 13:35:59,406 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:35:59,421 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:35:59,421 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:35:59,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5376
2020-06-30 13:36:01,421 [lib.api.process] INFO: Successfully resumed process with pid 5376
2020-06-30 13:36:01,562 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:01,562 [root] DEBUG: Process dumps disabled.
2020-06-30 13:36:01,562 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:01,578 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5376 at 0x6a6b0000, image base 0x1140000, stack from 0x1d5000-0x1e0000
2020-06-30 13:36:01,578 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe".
2020-06-30 13:36:01,609 [root] INFO: Loaded monitor into process with pid 5376
2020-06-30 13:36:01,609 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:36:01,625 [root] DEBUG: set_caller_info: Adding region at 0x00690000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:36:01,640 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:36:01,640 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x690000
2020-06-30 13:36:01,640 [root] DEBUG: DumpPEsInRange: Scanning range 0x690000 - 0x691000.
2020-06-30 13:36:01,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x690000-0x691000.
2020-06-30 13:36:01,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\5376_10476234241161430262020 (size 0x596)
2020-06-30 13:36:01,687 [root] DEBUG: DumpRegion: Dumped stack region from 0x00690000, size 0x1000.
2020-06-30 13:36:01,687 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x000E0000.
2020-06-30 13:36:01,687 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:36:01,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\5376_17138226681161430262020 (size 0x100099)
2020-06-30 13:36:01,781 [root] DEBUG: DumpRegion: Dumped stack region from 0x00530000, size 0x101000.
2020-06-30 13:36:01,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x703E0000 to global list.
2020-06-30 13:36:01,781 [root] DEBUG: DLL loaded at 0x703E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:36:01,781 [root] DEBUG: DLL unloaded from 0x76020000.
2020-06-30 13:36:01,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00A90000 to global list.
2020-06-30 13:36:01,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x00A90000 to global list.
2020-06-30 13:36:01,828 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:36:01,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69060000 for section view with handle 0xd0.
2020-06-30 13:36:01,843 [root] DEBUG: DLL loaded at 0x69060000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-30 13:36:01,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B9D0000 for section view with handle 0xd0.
2020-06-30 13:36:01,859 [root] DEBUG: DLL loaded at 0x6B9D0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-30 13:36:01,875 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5376, handle 0xf0.
2020-06-30 13:36:01,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x00310000 to global list.
2020-06-30 13:36:01,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00320000 to global list.
2020-06-30 13:36:01,890 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:01,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:01,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:01,906 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:01,906 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x056F0000 to global list.
2020-06-30 13:36:01,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 amd local view 0x67810000 to global list.
2020-06-30 13:36:01,937 [root] DEBUG: DLL loaded at 0x67810000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 13:36:02,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x72A20000 to global list.
2020-06-30 13:36:02,000 [root] DEBUG: DLL loaded at 0x72A20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 13:36:02,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x77020000 to global list.
2020-06-30 13:36:02,015 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 13:36:02,015 [root] DEBUG: set_caller_info: Adding region at 0x00480000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:02,031 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x48ffff
2020-06-30 13:36:02,031 [root] DEBUG: DumpMemory: Nothing to dump at 0x00480000!
2020-06-30 13:36:02,031 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2020-06-30 13:36:02,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\5376_195898646022161430262020 (size 0x4e7)
2020-06-30 13:36:02,062 [root] DEBUG: DumpRegion: Dumped stack region from 0x00480000, size 0x1000.
2020-06-30 13:36:02,078 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:02,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:02,109 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:02,125 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:02,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:02,156 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:02,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x66E00000 to global list.
2020-06-30 13:36:02,234 [root] DEBUG: DLL loaded at 0x66E00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 13:36:02,234 [root] DEBUG: OpenProcessHandler: Image base for process 5376 (handle 0x220): 0x01140000.
2020-06-30 13:36:02,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 amd local view 0x66620000 to global list.
2020-06-30 13:36:02,296 [root] DEBUG: DLL loaded at 0x66620000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 13:36:02,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x69E20000 to global list.
2020-06-30 13:36:02,328 [root] DEBUG: DLL loaded at 0x69E20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-06-30 13:36:02,328 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:36:02,343 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:36:02,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x65A70000 to global list.
2020-06-30 13:36:02,453 [root] DEBUG: DLL loaded at 0x65A70000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-06-30 13:36:02,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x63D30000 for section view with handle 0x234.
2020-06-30 13:36:02,515 [root] DEBUG: DLL loaded at 0x63D30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-06-30 13:36:02,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65870000 for section view with handle 0x234.
2020-06-30 13:36:02,703 [root] DEBUG: DLL loaded at 0x65870000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-06-30 13:36:02,781 [root] DEBUG: DLL loaded at 0x65730000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-06-30 13:36:02,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x655E0000 for section view with handle 0x234.
2020-06-30 13:36:02,812 [root] DEBUG: DLL loaded at 0x655E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-06-30 13:36:02,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B570000 for section view with handle 0x234.
2020-06-30 13:36:02,828 [root] DEBUG: DLL loaded at 0x6B570000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-06-30 13:36:02,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69D50000 for section view with handle 0x23c.
2020-06-30 13:36:02,875 [root] DEBUG: DLL loaded at 0x69D50000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-06-30 13:36:02,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x65440000 to global list.
2020-06-30 13:36:02,937 [root] DEBUG: DLL loaded at 0x65440000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 13:36:02,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x63010000 for section view with handle 0x238.
2020-06-30 13:36:02,953 [root] DEBUG: DLL loaded at 0x63010000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 13:36:03,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E160000 for section view with handle 0x238.
2020-06-30 13:36:03,109 [root] DEBUG: DLL loaded at 0x6E160000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 13:36:03,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E40000 for section view with handle 0x238.
2020-06-30 13:36:03,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737A0000 for section view with handle 0x240.
2020-06-30 13:36:03,187 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-30 13:36:03,203 [root] DEBUG: DLL loaded at 0x731D0000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-30 13:36:03,234 [root] DEBUG: set_caller_info: Adding region at 0x00340000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:03,234 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x34ffff
2020-06-30 13:36:03,234 [root] DEBUG: DumpMemory: Nothing to dump at 0x00340000!
2020-06-30 13:36:03,234 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00340000 size 0x10000.
2020-06-30 13:36:03,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\5376_112113572423161430262020 (size 0xf7)
2020-06-30 13:36:03,265 [root] DEBUG: DumpRegion: Dumped stack region from 0x00340000, size 0x1000.
2020-06-30 13:36:03,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 amd local view 0x65370000 to global list.
2020-06-30 13:36:03,781 [root] DEBUG: DLL loaded at 0x65370000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni (0xc8000 bytes).
2020-06-30 13:36:04,203 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-30 13:36:04,218 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
2020-06-30 13:36:04,218 [root] DEBUG: set_caller_info: Adding region at 0x00350000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 13:36:04,218 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x35ffff
2020-06-30 13:36:04,218 [root] DEBUG: DumpMemory: Nothing to dump at 0x00350000!
2020-06-30 13:36:04,218 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00350000 size 0x10000.
2020-06-30 13:36:04,218 [root] DEBUG: DumpPEsInRange: Scanning range 0x350000 - 0x35d000.
2020-06-30 13:36:04,218 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x350000-0x35d000.
2020-06-30 13:36:04,234 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\5376_98300167424161430262020 (size 0xc7c2)
2020-06-30 13:36:04,249 [root] DEBUG: DumpRegion: Dumped stack region from 0x00350000, size 0xd000.
2020-06-30 13:36:04,249 [root] DEBUG: set_caller_info: Adding region at 0x00E50000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 13:36:04,249 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0xe5ffff
2020-06-30 13:36:04,249 [root] DEBUG: DumpMemory: Nothing to dump at 0x00E50000!
2020-06-30 13:36:04,249 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00E50000 size 0x10000.
2020-06-30 13:36:04,265 [root] DEBUG: DumpPEsInRange: Scanning range 0xe50000 - 0xe51000.
2020-06-30 13:36:04,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\5376_90589056524161430262020 (size 0xf2e)
2020-06-30 13:36:04,281 [root] DEBUG: DumpRegion: Dumped stack region from 0x00E50000, size 0x1000.
2020-06-30 13:36:04,359 [root] INFO: Announced 32-bit process name: cmd.exe pid: 4132
2020-06-30 13:36:04,359 [lib.api.process] INFO: Monitor config for process 4132: C:\tmpnwhtwc92\dll\4132.ini
2020-06-30 13:36:04,359 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:04,359 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:04,375 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:04,375 [root] DEBUG: Loader: Injecting process 4132 (thread 5348) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,375 [root] DEBUG: Process image base: 0x49F40000
2020-06-30 13:36:04,375 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,375 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-30 13:36:04,375 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:36:04,406 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:04,406 [root] DEBUG: Process dumps disabled.
2020-06-30 13:36:04,406 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:04,421 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:04,421 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4132 at 0x6a6b0000, image base 0x49f40000, stack from 0x243000-0x340000
2020-06-30 13:36:04,421 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"cmd.exe" \c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run \f \v Inte \t REG_SZ \d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates
2020-06-30 13:36:04,437 [root] INFO: Loaded monitor into process with pid 4132
2020-06-30 13:36:04,437 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:36:04,437 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:36:04,437 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,437 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:36:04,437 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intel
2020-06-30 13:36:04,437 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4132, ImageBase: 0x49F40000
2020-06-30 13:36:04,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x298 amd local view 0x00F60000 to global list.
2020-06-30 13:36:04,468 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:36:04,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc0 amd local view 0x02E70000 to global list.
2020-06-30 13:36:04,484 [root] INFO: Announced 32-bit process name: reg.exe pid: 4720
2020-06-30 13:36:04,484 [lib.api.process] INFO: Monitor config for process 4720: C:\tmpnwhtwc92\dll\4720.ini
2020-06-30 13:36:04,484 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:04,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:04,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:04,500 [root] DEBUG: Loader: Injecting process 4720 (thread 4844) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,500 [root] DEBUG: Process image base: 0x00670000
2020-06-30 13:36:04,500 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,500 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:36:04,500 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,500 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4720
2020-06-30 13:36:04,515 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:36:04,515 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4720, ImageBase: 0x00670000
2020-06-30 13:36:04,515 [root] INFO: Announced 32-bit process name: reg.exe pid: 4720
2020-06-30 13:36:04,515 [lib.api.process] INFO: Monitor config for process 4720: C:\tmpnwhtwc92\dll\4720.ini
2020-06-30 13:36:04,515 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:04,515 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:04,531 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:04,531 [root] DEBUG: Loader: Injecting process 4720 (thread 4844) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,531 [root] DEBUG: Process image base: 0x00670000
2020-06-30 13:36:04,531 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,531 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:36:04,531 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:04,531 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4720
2020-06-30 13:36:04,546 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:04,562 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:04,562 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:36:04,578 [root] INFO: Loaded monitor into process with pid 4720
2020-06-30 13:36:04,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc0 amd local view 0x02930000 to global list.
2020-06-30 13:36:04,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x02830000 to global list.
2020-06-30 13:36:04,578 [root] DEBUG: set_caller_info: Adding region at 0x74D40000 to caller regions list (ntdll::NtClose).
2020-06-30 13:36:04,578 [root] DEBUG: set_caller_info: Calling region at 0x74D40000 skipped.
2020-06-30 13:36:04,593 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-30 13:36:04,593 [root] INFO: Process with pid 4720 has terminated
2020-06-30 13:36:04,640 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-30 13:36:19,453 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5376.
2020-06-30 13:36:21,468 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2384, handle 0x310.
2020-06-30 13:36:21,468 [root] DEBUG: OpenProcessHandler: Image base for process 2384 (handle 0x310): 0x00AD0000.
2020-06-30 13:36:21,484 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 884, handle 0x310.
2020-06-30 13:36:21,500 [root] DEBUG: OpenProcessHandler: Image base for process 884 (handle 0x310): 0x003F0000.
2020-06-30 13:36:21,500 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1504, handle 0x310.
2020-06-30 13:36:21,531 [root] DEBUG: OpenProcessHandler: Image base for process 1504 (handle 0x310): 0x00AD0000.
2020-06-30 13:36:21,531 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1592, handle 0x310.
2020-06-30 13:36:21,531 [root] DEBUG: OpenProcessHandler: Image base for process 1592 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,562 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1768, handle 0x310.
2020-06-30 13:36:21,562 [root] DEBUG: OpenProcessHandler: Image base for process 1768 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,578 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2300, handle 0x310.
2020-06-30 13:36:21,578 [root] DEBUG: OpenProcessHandler: Image base for process 2300 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,625 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 340, handle 0x310.
2020-06-30 13:36:21,640 [root] DEBUG: OpenProcessHandler: Image base for process 340 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,640 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 784, handle 0x310.
2020-06-30 13:36:21,640 [root] DEBUG: OpenProcessHandler: Image base for process 784 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,656 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 248, handle 0x310.
2020-06-30 13:36:21,656 [root] DEBUG: OpenProcessHandler: Image base for process 248 (handle 0x310): 0x481A0000.
2020-06-30 13:36:21,656 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 332, handle 0x310.
2020-06-30 13:36:21,671 [root] DEBUG: OpenProcessHandler: Image base for process 332 (handle 0x310): 0x49700000.
2020-06-30 13:36:21,671 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1576, handle 0x310.
2020-06-30 13:36:21,671 [root] DEBUG: OpenProcessHandler: Image base for process 1576 (handle 0x310): 0x00910000.
2020-06-30 13:36:21,687 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 416, handle 0x310.
2020-06-30 13:36:21,687 [root] DEBUG: OpenProcessHandler: Image base for process 416 (handle 0x310): 0x00ED0000.
2020-06-30 13:36:21,687 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1432, handle 0x310.
2020-06-30 13:36:21,687 [root] DEBUG: OpenProcessHandler: Image base for process 1432 (handle 0x310): 0x00E70000.
2020-06-30 13:36:21,687 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5508, handle 0x310.
2020-06-30 13:36:21,687 [root] DEBUG: OpenProcessHandler: Image base for process 5508 (handle 0x310): 0x00940000.
2020-06-30 13:36:21,703 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 580, handle 0x310.
2020-06-30 13:36:21,703 [root] DEBUG: OpenProcessHandler: Image base for process 580 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,703 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 840, handle 0x310.
2020-06-30 13:36:21,718 [root] DEBUG: OpenProcessHandler: Image base for process 840 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,734 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 480, handle 0x310.
2020-06-30 13:36:21,734 [root] DEBUG: OpenProcessHandler: Image base for process 480 (handle 0x310): 0x00320000.
2020-06-30 13:36:21,750 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 656, handle 0x310.
2020-06-30 13:36:21,750 [root] DEBUG: OpenProcessHandler: Image base for process 656 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,750 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 744, handle 0x310.
2020-06-30 13:36:21,750 [root] DEBUG: OpenProcessHandler: Image base for process 744 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,765 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1276, handle 0x310.
2020-06-30 13:36:21,765 [root] DEBUG: OpenProcessHandler: Image base for process 1276 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,765 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1452, handle 0x310.
2020-06-30 13:36:21,765 [root] DEBUG: OpenProcessHandler: Image base for process 1452 (handle 0x310): 0x00800000.
2020-06-30 13:36:21,781 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 472, handle 0x310.
2020-06-30 13:36:21,781 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 376, handle 0x310.
2020-06-30 13:36:21,781 [root] DEBUG: OpenProcessHandler: Image base for process 376 (handle 0x310): 0x49700000.
2020-06-30 13:36:21,796 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 464, handle 0x310.
2020-06-30 13:36:21,796 [root] DEBUG: OpenProcessHandler: Image base for process 464 (handle 0x310): 0x00280000.
2020-06-30 13:36:21,796 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 816, handle 0x310.
2020-06-30 13:36:21,812 [root] DEBUG: OpenProcessHandler: Image base for process 816 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,828 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 368, handle 0x310.
2020-06-30 13:36:21,828 [root] DEBUG: OpenProcessHandler: Image base for process 368 (handle 0x310): 0x00090000.
2020-06-30 13:36:21,828 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1196, handle 0x310.
2020-06-30 13:36:21,828 [root] DEBUG: OpenProcessHandler: Image base for process 1196 (handle 0x310): 0x00EC0000.
2020-06-30 13:36:21,843 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1076, handle 0x310.
2020-06-30 13:36:21,843 [root] DEBUG: OpenProcessHandler: Image base for process 1076 (handle 0x310): 0x00BB0000.
2020-06-30 13:36:21,859 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4040, handle 0x310.
2020-06-30 13:36:21,875 [root] DEBUG: OpenProcessHandler: Image base for process 4040 (handle 0x310): 0x00470000.
2020-06-30 13:36:22,890 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
2020-06-30 13:36:24,468 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-30 13:36:29,906 [root] DEBUG: DLL loaded at 0x73A50000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-30 13:36:29,921 [root] DEBUG: DLL loaded at 0x73DC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-30 13:36:29,921 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-30 13:36:29,937 [root] DEBUG: DLL loaded at 0x73B50000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-30 13:36:29,937 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-06-30 13:36:29,953 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:36:30,000 [root] DEBUG: DLL loaded at 0x6DF50000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-06-30 13:36:30,000 [root] DEBUG: DLL loaded at 0x76CE0000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-06-30 13:36:30,000 [root] DEBUG: DLL loaded at 0x74F70000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:30,015 [root] DEBUG: DLL loaded at 0x74FF0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:30,031 [root] DEBUG: DLL loaded at 0x74FE0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-30 13:36:30,062 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:30,078 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:30,078 [root] DEBUG: DLL loaded at 0x75000000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-30 13:36:30,078 [root] DEBUG: DLL loaded at 0x76AA0000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-06-30 13:36:30,093 [root] DEBUG: DLL loaded at 0x767A0000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-06-30 13:36:30,109 [root] DEBUG: DLL loaded at 0x76160000: C:\Windows\system32\WININET (0x1c4000 bytes).
2020-06-30 13:36:30,109 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-30 13:36:30,125 [root] DEBUG: DLL loaded at 0x75230000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-06-30 13:36:30,140 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-06-30 13:36:30,156 [root] DEBUG: DLL loaded at 0x75020000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-06-30 13:36:30,156 [root] DEBUG: DLL loaded at 0x70E20000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-30 13:36:30,171 [root] DEBUG: DLL unloaded from 0x753D0000.
2020-06-30 13:36:30,187 [root] INFO: Announced 32-bit process name: Intelx.exe pid: 6064
2020-06-30 13:36:30,187 [lib.api.process] INFO: Monitor config for process 6064: C:\tmpnwhtwc92\dll\6064.ini
2020-06-30 13:36:30,234 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:30,234 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:30,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:30,265 [root] DEBUG: Loader: Injecting process 6064 (thread 4344) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:30,265 [root] DEBUG: Process image base: 0x009B0000
2020-06-30 13:36:30,296 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:30,296 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:30,312 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:30,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 6064
2020-06-30 13:36:30,375 [root] DEBUG: CreateProcessHandler: Injection info set for new process 6064, ImageBase: 0x009B0000
2020-06-30 13:36:30,375 [root] INFO: Announced 32-bit process name: Intelx.exe pid: 6064
2020-06-30 13:36:30,375 [lib.api.process] INFO: Monitor config for process 6064: C:\tmpnwhtwc92\dll\6064.ini
2020-06-30 13:36:30,390 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:30,390 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:30,390 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:30,421 [root] DEBUG: Loader: Injecting process 6064 (thread 4344) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:30,437 [root] DEBUG: Process image base: 0x009B0000
2020-06-30 13:36:30,437 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:30,437 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:30,437 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:30,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 6064
2020-06-30 13:36:30,453 [root] DEBUG: DLL unloaded from 0x655E0000.
2020-06-30 13:36:30,468 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:30,468 [root] DEBUG: Process dumps disabled.
2020-06-30 13:36:30,468 [root] DEBUG: DLL unloaded from 0x69D50000.
2020-06-30 13:36:30,468 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:30,484 [root] DEBUG: DLL unloaded from 0x73A50000.
2020-06-30 13:36:30,515 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-30 13:36:30,515 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:30,515 [root] DEBUG: DLL unloaded from 0x73B50000.
2020-06-30 13:36:30,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 6064 at 0x6a6b0000, image base 0x9b0000, stack from 0x1e6000-0x1f0000
2020-06-30 13:36:30,515 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe".
2020-06-30 13:36:30,531 [root] DEBUG: DLL unloaded from 0x69060000.
2020-06-30 13:36:30,531 [root] INFO: Loaded monitor into process with pid 6064
2020-06-30 13:36:30,531 [root] DEBUG: DLL unloaded from 0x703E0000.
2020-06-30 13:36:30,531 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:36:30,578 [root] DEBUG: set_caller_info: Adding region at 0x01740000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 13:36:30,578 [root] INFO: Process with pid 5376 has terminated
2020-06-30 13:36:30,640 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:36:30,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00230000 to global list.
2020-06-30 13:36:30,781 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6064.
2020-06-30 13:36:30,781 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6064.
2020-06-30 13:36:30,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 amd local view 0x056C0000 to global list.
2020-06-30 13:36:30,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b4 amd local view 0x66470000 to global list.
2020-06-30 13:36:30,812 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6064.
2020-06-30 13:36:30,828 [root] DEBUG: DLL loaded at 0x66470000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 13:36:30,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e8 amd local view 0x6B570000 to global list.
2020-06-30 13:36:30,859 [root] DEBUG: DLL loaded at 0x6B570000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 13:36:30,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x77020000 for section view with handle 0x1b4.
2020-06-30 13:36:30,890 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 13:36:30,906 [root] DEBUG: set_caller_info: Adding region at 0x00330000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:30,906 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x33ffff
2020-06-30 13:36:30,906 [root] DEBUG: DumpMemory: Nothing to dump at 0x00330000!
2020-06-30 13:36:30,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\6064_170713700950161430262020 (size 0x4e7)
2020-06-30 13:36:31,000 [root] DEBUG: DumpRegion: Dumped stack region from 0x00330000, size 0x1000.
2020-06-30 13:36:31,015 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6064.
2020-06-30 13:36:31,078 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6064.
2020-06-30 13:36:31,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x681A0000 to global list.
2020-06-30 13:36:31,140 [root] DEBUG: DLL loaded at 0x681A0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 13:36:31,171 [root] DEBUG: OpenProcessHandler: Image base for process 6064 (handle 0x220): 0x009B0000.
2020-06-30 13:36:31,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 amd local view 0x679C0000 to global list.
2020-06-30 13:36:31,218 [root] DEBUG: DLL loaded at 0x679C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 13:36:31,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x66070000 to global list.
2020-06-30 13:36:31,234 [root] DEBUG: DLL loaded at 0x66070000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-06-30 13:36:31,234 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:36:31,249 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:36:31,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x654C0000 to global list.
2020-06-30 13:36:31,296 [root] DEBUG: DLL loaded at 0x654C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-06-30 13:36:31,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x62A20000 for section view with handle 0x234.
2020-06-30 13:36:31,312 [root] DEBUG: DLL loaded at 0x62A20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-06-30 13:36:31,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A020000 for section view with handle 0x234.
2020-06-30 13:36:31,328 [root] DEBUG: DLL loaded at 0x6A020000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-06-30 13:36:31,343 [root] DEBUG: DLL loaded at 0x69EE0000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-06-30 13:36:31,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69D90000 for section view with handle 0x234.
2020-06-30 13:36:31,359 [root] DEBUG: DLL loaded at 0x69D90000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-06-30 13:36:31,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72A20000 for section view with handle 0x234.
2020-06-30 13:36:31,359 [root] DEBUG: DLL loaded at 0x72A20000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-06-30 13:36:31,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x678F0000 for section view with handle 0x23c.
2020-06-30 13:36:31,390 [root] DEBUG: DLL loaded at 0x678F0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-06-30 13:36:31,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x65320000 to global list.
2020-06-30 13:36:31,437 [root] DEBUG: DLL loaded at 0x65320000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 13:36:31,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x64320000 for section view with handle 0x238.
2020-06-30 13:36:31,484 [root] DEBUG: DLL loaded at 0x64320000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 13:36:31,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E180000 for section view with handle 0x238.
2020-06-30 13:36:31,515 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 13:36:31,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08190000 for section view with handle 0x238.
2020-06-30 13:36:31,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737A0000 for section view with handle 0x240.
2020-06-30 13:36:31,562 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-30 13:36:31,578 [root] DEBUG: DLL loaded at 0x731D0000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-30 13:36:31,578 [root] DEBUG: set_caller_info: Adding region at 0x00250000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:31,578 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x25ffff
2020-06-30 13:36:31,593 [root] DEBUG: DumpMemory: Nothing to dump at 0x00250000!
2020-06-30 13:36:31,593 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00250000 size 0x10000.
2020-06-30 13:36:31,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x250000 - 0x251000.
2020-06-30 13:36:31,593 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x250000-0x251000.
2020-06-30 13:36:31,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\6064_29550931851161430262020 (size 0xf7)
2020-06-30 13:36:32,093 [root] DEBUG: set_caller_info: Adding region at 0x006B0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 13:36:32,093 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6bffff
2020-06-30 13:36:32,093 [root] DEBUG: DumpMemory: Nothing to dump at 0x006B0000!
2020-06-30 13:36:32,109 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x006B0000 size 0x10000.
2020-06-30 13:36:32,109 [root] DEBUG: DumpPEsInRange: Scanning range 0x6b0000 - 0x6b1000.
2020-06-30 13:36:32,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6b0000-0x6b1000.
2020-06-30 13:36:32,156 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\6064_45378366352161430262020 (size 0xf2e)
2020-06-30 13:36:32,156 [root] DEBUG: DumpRegion: Dumped stack region from 0x006B0000, size 0x1000.
2020-06-30 13:36:32,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 amd local view 0x753D0000 to global list.
2020-06-30 13:36:32,171 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-30 13:36:32,187 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:36:47,171 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 6064.
2020-06-30 13:36:49,203 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,203 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,234 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,234 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,249 [root] DEBUG: Loader: Injecting process 3328 (thread 4244) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,249 [root] DEBUG: Process image base: 0x00F50000
2020-06-30 13:36:49,249 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:49,249 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:49,249 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,265 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3328
2020-06-30 13:36:49,281 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:36:49,328 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3328, ImageBase: 0x00F50000
2020-06-30 13:36:49,328 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,328 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,343 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,359 [root] DEBUG: Loader: Injecting process 3328 (thread 4244) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,375 [root] DEBUG: Process image base: 0x00F50000
2020-06-30 13:36:49,375 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:49,375 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:49,375 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,375 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3328
2020-06-30 13:36:49,390 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 3328 (ImageBase 0x400000)
2020-06-30 13:36:49,390 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:36:49,406 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04D02AD8.
2020-06-30 13:36:49,453 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x45a00.
2020-06-30 13:36:49,453 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4d02ad8, SizeOfImage 0x4c000.
2020-06-30 13:36:49,468 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,468 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,468 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,484 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,500 [root] DEBUG: Loader: Injecting process 3328 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,500 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:49,500 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:49,500 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,500 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3328, error: 4294967281
2020-06-30 13:36:49,515 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-30 13:36:49,515 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,531 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,531 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,531 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,593 [root] DEBUG: Loader: Injecting process 3328 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,593 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:49,609 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:49,609 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,625 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3328, error: 4294967281
2020-06-30 13:36:49,625 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0391AE38 (size 0x600) injected into process 3328.
2020-06-30 13:36:49,640 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\6064_153886578723211430262020 (size 0x535)
2020-06-30 13:36:49,640 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:36:49,656 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,656 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,671 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,687 [root] DEBUG: Loader: Injecting process 3328 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,703 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:49,718 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:49,718 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,734 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3328, error: 4294967281
2020-06-30 13:36:49,750 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0391BCCC (size 0x200) injected into process 3328.
2020-06-30 13:36:49,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\6064_101096630423211430262020 (size 0x9)
2020-06-30 13:36:49,796 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:36:49,828 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,828 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,828 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,843 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,843 [root] DEBUG: Loader: Injecting process 3328 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,859 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:49,859 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:49,859 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,875 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3328, error: 4294967281
2020-06-30 13:36:49,890 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:49,906 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:49,921 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:49,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:49,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:49,953 [root] DEBUG: Loader: Injecting process 3328 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,953 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:49,953 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:49,968 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:49,968 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3328, error: 4294967281
2020-06-30 13:36:52,203 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-30 13:36:52,468 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x00046F9E (process 3328).
2020-06-30 13:36:52,468 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3328
2020-06-30 13:36:52,468 [lib.api.process] INFO: Monitor config for process 3328: C:\tmpnwhtwc92\dll\3328.ini
2020-06-30 13:36:52,468 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:36:52,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:36:52,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:36:52,515 [root] DEBUG: Loader: Injecting process 3328 (thread 4244) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:52,515 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:36:52,515 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:52,531 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:52,531 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:36:52,531 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3328
2020-06-30 13:36:53,531 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:36:53,546 [root] DEBUG: DLL unloaded from 0x69D90000.
2020-06-30 13:36:53,562 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:53,593 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3328 at 0x6a6b0000, image base 0x400000, stack from 0x236000-0x240000
2020-06-30 13:36:53,593 [root] DEBUG: DLL unloaded from 0x76130000.
2020-06-30 13:36:53,609 [root] DEBUG: DLL unloaded from 0x69060000.
2020-06-30 13:36:53,609 [root] DEBUG: DLL unloaded from 0x703E0000.
2020-06-30 13:36:53,609 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe".
2020-06-30 13:36:53,625 [root] INFO: Process with pid 6064 has terminated
2020-06-30 13:36:53,640 [root] INFO: Loaded monitor into process with pid 3328
2020-06-30 13:36:53,656 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:36:53,765 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3328, handle 0xf4.
2020-06-30 13:36:53,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00130000 to global list.
2020-06-30 13:36:53,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x00240000 to global list.
2020-06-30 13:36:53,828 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:36:53,843 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:36:53,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 amd local view 0x05710000 to global list.
2020-06-30 13:36:53,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b4 amd local view 0x67810000 to global list.
2020-06-30 13:36:53,875 [root] DEBUG: DLL loaded at 0x67810000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 13:36:53,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x66E00000 to global list.
2020-06-30 13:36:53,984 [root] DEBUG: DLL loaded at 0x66E00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 13:36:54,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A080000 for section view with handle 0x208.
2020-06-30 13:36:54,015 [root] DEBUG: DLL loaded at 0x6A080000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 13:36:54,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x660E0000 to global list.
2020-06-30 13:36:54,031 [root] DEBUG: DLL loaded at 0x660E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 13:36:54,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x6E160000 to global list.
2020-06-30 13:36:54,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05B80000 for section view with handle 0x20c.
2020-06-30 13:36:54,093 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-30 13:36:54,109 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:36:54,125 [root] DEBUG: set_caller_info: Adding region at 0x00260000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:54,125 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x26ffff
2020-06-30 13:36:54,125 [root] DEBUG: DumpMemory: Nothing to dump at 0x00260000!
2020-06-30 13:36:54,125 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00260000 size 0x10000.
2020-06-30 13:36:54,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x260000 - 0x261000.
2020-06-30 13:36:54,140 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x260000-0x261000.
2020-06-30 13:36:54,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\3328_180834454414171430262020 (size 0x14)
2020-06-30 13:36:54,203 [root] DEBUG: DumpRegion: Dumped stack region from 0x00260000, size 0x1000.
2020-06-30 13:36:54,218 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 13:36:54,234 [root] DEBUG: set_caller_info: Adding region at 0x00270000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:36:54,234 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x27ffff
2020-06-30 13:36:54,249 [root] DEBUG: DumpMemory: Nothing to dump at 0x00270000!
2020-06-30 13:36:54,265 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00270000 size 0x10000.
2020-06-30 13:36:54,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x270000 - 0x27c000.
2020-06-30 13:36:54,281 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x270000-0x27c000.
2020-06-30 13:36:54,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\3328_104735242214171430262020 (size 0xb147)
2020-06-30 13:36:54,328 [root] DEBUG: DumpRegion: Dumped stack region from 0x00270000, size 0xc000.
2020-06-30 13:36:54,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x254 amd local view 0x65900000 to global list.
2020-06-30 13:36:54,375 [root] DEBUG: DLL loaded at 0x65900000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 13:36:54,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x250 amd local view 0x69EA0000 to global list.
2020-06-30 13:36:54,406 [root] DEBUG: DLL loaded at 0x69EA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-30 13:37:05,437 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:37:05,484 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:37:05,546 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:37:05,546 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-30 13:37:05,562 [root] DEBUG: DLL loaded at 0x6B5B0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-30 13:37:05,593 [root] DEBUG: DLL loaded at 0x69E40000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-30 13:37:05,609 [root] DEBUG: DLL loaded at 0x76480000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-30 13:37:05,609 [root] DEBUG: DLL loaded at 0x76120000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-30 13:37:05,640 [root] INFO: Stopping WMI Service
2020-06-30 13:37:13,421 [root] INFO: Stopped WMI Service
2020-06-30 13:37:13,953 [lib.api.process] INFO: Monitor config for process 580: C:\tmpnwhtwc92\dll\580.ini
2020-06-30 13:37:13,984 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:37:13,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:37:14,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:37:14,015 [root] DEBUG: Loader: Injecting process 580 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:14,015 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 612, handle 0xa0
2020-06-30 13:37:14,015 [root] DEBUG: Process image base: 0x00BB0000
2020-06-30 13:37:14,015 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-30 13:37:14,031 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:37:14,062 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:37:14,109 [root] DEBUG: Process dumps disabled.
2020-06-30 13:37:14,125 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:37:14,140 [root] INFO: Disabling sleep skipping.
2020-06-30 13:37:14,140 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 580 at 0x6a6b0000, image base 0xbb0000, stack from 0xa86000-0xa90000
2020-06-30 13:37:14,171 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-06-30 13:37:14,203 [root] INFO: Loaded monitor into process with pid 580
2020-06-30 13:37:14,218 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:37:14,218 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:37:14,234 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:16,234 [root] INFO: Starting WMI Service
2020-06-30 13:37:18,828 [root] INFO: Started WMI Service
2020-06-30 13:37:18,843 [lib.api.process] INFO: Monitor config for process 4608: C:\tmpnwhtwc92\dll\4608.ini
2020-06-30 13:37:18,875 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:37:18,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:37:18,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:37:18,937 [root] DEBUG: Loader: Injecting process 4608 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:18,968 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:37:18,984 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:37:18,984 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:37:18,984 [root] DEBUG: Process dumps disabled.
2020-06-30 13:37:19,000 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:37:19,000 [root] INFO: Disabling sleep skipping.
2020-06-30 13:37:19,015 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4608 at 0x6a6b0000, image base 0xbb0000, stack from 0xb46000-0xb50000
2020-06-30 13:37:19,015 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-30 13:37:19,031 [root] INFO: Loaded monitor into process with pid 4608
2020-06-30 13:37:19,046 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:37:19,078 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:37:19,078 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:21,078 [root] DEBUG: DLL loaded at 0x6E270000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-30 13:37:21,078 [root] DEBUG: DLL loaded at 0x6E830000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-30 13:37:21,109 [root] DEBUG: DLL loaded at 0x6D810000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 13:37:21,125 [root] DEBUG: DLL loaded at 0x6E8F0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-06-30 13:37:21,140 [root] DEBUG: DLL loaded at 0x733A0000: C:\Windows\system32\ATL (0x14000 bytes).
2020-06-30 13:37:21,140 [root] DEBUG: DLL loaded at 0x6E820000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-06-30 13:37:21,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x005D0000 to global list.
2020-06-30 13:37:21,171 [root] DEBUG: DLL loaded at 0x72D90000: C:\Windows\system32\samcli (0xf000 bytes).
2020-06-30 13:37:21,187 [root] DEBUG: DLL loaded at 0x73980000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-06-30 13:37:21,187 [root] DEBUG: DLL loaded at 0x73C00000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-30 13:37:21,218 [root] DEBUG: DLL loaded at 0x733C0000: C:\Windows\system32\es (0x47000 bytes).
2020-06-30 13:37:21,234 [root] DEBUG: DLL loaded at 0x73A50000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-30 13:37:21,265 [root] DEBUG: DLL loaded at 0x6DD60000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-06-30 13:37:21,265 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:37:21,281 [root] DEBUG: DLL loaded at 0x6DD00000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2020-06-30 13:37:21,281 [root] DEBUG: DLL loaded at 0x6E490000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2020-06-30 13:37:21,312 [root] DEBUG: DLL loaded at 0x6E300000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-30 13:37:21,312 [root] DEBUG: DLL unloaded from 0x6DD60000.
2020-06-30 13:37:21,328 [root] DEBUG: DLL loaded at 0x6DB90000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-30 13:37:21,343 [root] DEBUG: DLL loaded at 0x6DB90000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-30 13:37:21,359 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-06-30 13:37:21,406 [root] DEBUG: DLL loaded at 0x6D810000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 13:37:21,437 [root] DEBUG: DLL loaded at 0x6D690000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-06-30 13:37:21,468 [root] DEBUG: DLL loaded at 0x74A60000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-06-30 13:37:21,500 [root] DEBUG: DLL unloaded from 0x74A60000.
2020-06-30 13:37:21,953 [root] DEBUG: DLL loaded at 0x6CFD0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-06-30 13:37:21,968 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 580, handle 0x2c8.
2020-06-30 13:37:21,984 [root] DEBUG: DLL loaded at 0x69DE0000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-06-30 13:37:22,156 [root] DEBUG: DLL loaded at 0x6E490000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-06-30 13:37:22,187 [root] DEBUG: DLL loaded at 0x6E300000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-30 13:37:22,218 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-30 13:37:22,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2d4 amd local view 0x03490000 to global list.
2020-06-30 13:37:22,359 [root] DEBUG: DLL loaded at 0x6E8B0000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-06-30 13:37:22,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2e8 amd local view 0x6E330000 to global list.
2020-06-30 13:37:22,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E2A0000 for section view with handle 0x2e8.
2020-06-30 13:37:22,531 [root] DEBUG: DLL loaded at 0x6E2A0000: C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x18000 bytes).
2020-06-30 13:37:22,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x2e8.
2020-06-30 13:37:22,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2dc amd local view 0x007C0000 to global list.
2020-06-30 13:37:22,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2ec amd local view 0x007C0000 to global list.
2020-06-30 13:37:22,578 [root] DEBUG: DLL unloaded from 0x69060000.
2020-06-30 13:37:22,656 [root] DEBUG: DLL unloaded from 0x6DD60000.
2020-06-30 13:37:22,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65680000 for section view with handle 0x2ec.
2020-06-30 13:37:22,781 [root] DEBUG: DLL loaded at 0x65680000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-06-30 13:37:22,796 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:37:22,812 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:37:22,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x338 amd local view 0x6CC40000 to global list.
2020-06-30 13:37:22,875 [root] DEBUG: DLL loaded at 0x6CC40000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-06-30 13:37:25,031 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:37:28,468 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:37:32,921 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-30 13:37:46,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x328 amd local view 0x007E0000 to global list.
2020-06-30 13:37:46,843 [root] DEBUG: set_caller_info: Adding region at 0x00830000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:37:46,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x83ffff
2020-06-30 13:37:46,859 [root] DEBUG: DumpMemory: Nothing to dump at 0x00830000!
2020-06-30 13:37:46,859 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00830000 size 0x10000.
2020-06-30 13:37:46,890 [root] DEBUG: DumpPEsInRange: Scanning range 0x830000 - 0x831000.
2020-06-30 13:37:46,890 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x830000-0x831000.
2020-06-30 13:37:47,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\entncKzthf\CAPE\3328_1088591905321430262020 (size 0x75e)
2020-06-30 13:37:47,046 [root] DEBUG: DumpRegion: Dumped stack region from 0x00830000, size 0x1000.
2020-06-30 13:37:47,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x344 amd local view 0x02DE0000 to global list.
2020-06-30 13:37:47,343 [root] DEBUG: DLL loaded at 0x71900000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-30 13:37:47,359 [root] DEBUG: DLL unloaded from 0x763B0000.
2020-06-30 13:37:47,890 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-30 13:37:47,890 [lib.api.process] INFO: Monitor config for process 464: C:\tmpnwhtwc92\dll\464.ini
2020-06-30 13:37:47,937 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:37:47,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:37:47,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:37:48,015 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:48,015 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:37:48,031 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:37:48,046 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:37:48,046 [root] DEBUG: Process dumps disabled.
2020-06-30 13:37:48,062 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:37:48,093 [root] INFO: Disabling sleep skipping.
2020-06-30 13:37:48,109 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 464 at 0x6a6b0000, image base 0x280000, stack from 0x18d6000-0x18e0000
2020-06-30 13:37:48,109 [root] DEBUG: Commandline: C:\Windows\System32\services.exe.
2020-06-30 13:37:48,125 [root] INFO: Loaded monitor into process with pid 464
2020-06-30 13:37:48,125 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:37:48,125 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:37:48,140 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,156 [root] INFO: Announced 32-bit process name: lsass.exe pid: 5548
2020-06-30 13:37:49,171 [lib.api.process] INFO: Monitor config for process 5548: C:\tmpnwhtwc92\dll\5548.ini
2020-06-30 13:37:49,187 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:37:49,187 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:37:49,218 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:37:49,218 [root] DEBUG: Loader: Injecting process 5548 (thread 5584) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,218 [root] DEBUG: Process image base: 0x00240000
2020-06-30 13:37:49,218 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,234 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:37:49,249 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,249 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5548
2020-06-30 13:37:49,265 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-30 13:37:49,265 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5548, ImageBase: 0x00240000
2020-06-30 13:37:49,265 [root] INFO: Announced 32-bit process name: lsass.exe pid: 5548
2020-06-30 13:37:49,265 [lib.api.process] INFO: Monitor config for process 5548: C:\tmpnwhtwc92\dll\5548.ini
2020-06-30 13:37:49,265 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:37:49,281 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\HPNfnQi.dll, loader C:\tmpnwhtwc92\bin\iUcdXRa.exe
2020-06-30 13:37:49,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lnakIMJ.
2020-06-30 13:37:49,281 [root] DEBUG: Loader: Injecting process 5548 (thread 5584) with C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,296 [root] DEBUG: Process image base: 0x00240000
2020-06-30 13:37:49,296 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,296 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:37:49,312 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\HPNfnQi.dll.
2020-06-30 13:37:49,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5548
2020-06-30 13:37:49,343 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5548.
2020-06-30 13:37:49,359 [root] INFO: Disabling sleep skipping.
2020-06-30 13:37:49,359 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:37:49,359 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5548 at 0x6a6b0000, image base 0x240000, stack from 0x86000-0x90000
2020-06-30 13:37:49,359 [root] DEBUG: Commandline: C:\Windows\System32\lsass.exe.
2020-06-30 13:37:49,375 [root] INFO: Loaded monitor into process with pid 5548
2020-06-30 13:37:51,359 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-30 13:37:58,359 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:37:58,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3ec amd local view 0x006C0000 to global list.
2020-06-30 13:37:58,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f0 amd local view 0x00840000 to global list.
2020-06-30 13:37:58,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x006C0000 for section view with handle 0x3f0.
2020-06-30 13:37:58,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00840000 for section view with handle 0x3ec.
2020-06-30 13:37:58,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3cc amd local view 0x006C0000 to global list.
2020-06-30 13:37:58,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3e8 amd local view 0x006C0000 to global list.
2020-06-30 13:37:58,406 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:38:24,359 [root] INFO: Process with pid 5548 has terminated
2020-06-30 13:38:30,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x330 amd local view 0x64A70000 to global list.
2020-06-30 13:38:36,359 [root] DEBUG: DLL loaded at 0x64A70000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-06-30 13:38:36,734 [root] DEBUG: DLL loaded at 0x6CC10000: C:\Windows\system32\wshom.ocx (0x21000 bytes).
2020-06-30 13:38:37,140 [root] DEBUG: DLL loaded at 0x714F0000: C:\Windows\system32\MPR (0x12000 bytes).
2020-06-30 13:38:37,156 [root] DEBUG: DLL loaded at 0x6BB20000: C:\Windows\system32\ScrRun (0x2a000 bytes).
2020-06-30 13:38:48,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x408 amd local view 0x006C0000 to global list.
2020-06-30 13:38:48,421 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:38:54,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x354 amd local view 0x00840000 to global list.
2020-06-30 13:39:00,453 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3328.
2020-06-30 13:39:12,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A4B0000 for section view with handle 0x354.
2020-06-30 13:39:12,375 [root] DEBUG: DLL loaded at 0x6A4B0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-30 13:39:18,359 [root] DEBUG: DLL loaded at 0x6E090000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-06-30 13:39:21,656 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 13:39:21,656 [lib.api.process] ERROR: Failed to open terminate event for pid 4132
2020-06-30 13:39:21,656 [root] INFO: Terminate event set for process 4132.
2020-06-30 13:39:21,656 [lib.api.process] INFO: Terminate event set for process 3328
2020-06-30 13:39:21,796 [root] DEBUG: Terminate Event: Skipping dump of process 3328
2020-06-30 13:39:21,843 [lib.api.process] INFO: Termination confirmed for process 3328
2020-06-30 13:39:21,843 [root] INFO: Terminate event set for process 3328.
2020-06-30 13:39:21,843 [lib.api.process] INFO: Terminate event set for process 580
2020-06-30 13:39:26,906 [lib.api.process] INFO: Termination confirmed for process 580
2020-06-30 13:39:26,906 [root] INFO: Terminate event set for process 580.
2020-06-30 13:39:26,906 [lib.api.process] INFO: Terminate event set for process 4608
2020-06-30 13:39:28,359 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3328
2020-06-30 13:39:28,375 [root] DEBUG: Terminate Event: Skipping dump of process 580
2020-06-30 13:39:31,953 [lib.api.process] INFO: Termination confirmed for process 4608
2020-06-30 13:39:31,953 [root] INFO: Terminate event set for process 4608.
2020-06-30 13:39:31,953 [lib.api.process] INFO: Terminate event set for process 464
2020-06-30 13:39:34,359 [root] DEBUG: Terminate Event: Shutdown complete for process 580 but failed to inform analyzer.
2020-06-30 13:39:34,453 [root] DEBUG: Terminate Event: Skipping dump of process 464
2020-06-30 13:39:34,531 [lib.api.process] INFO: Termination confirmed for process 464
2020-06-30 13:39:34,531 [root] INFO: Terminate event set for process 464.
2020-06-30 13:39:34,531 [root] INFO: Created shutdown mutex.
2020-06-30 13:39:35,562 [root] INFO: Shutting down package.
2020-06-30 13:39:35,562 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:39:42,359 [root] DEBUG: Terminate Event: Skipping dump of process 4608
2020-06-30 13:39:42,500 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 464
2020-06-30 13:39:48,359 [root] DEBUG: Terminate Event: Shutdown complete for process 4608 but failed to inform analyzer.
2020-06-30 13:40:12,437 [lib.common.results] WARNING: File C:\entncKzthf\bin\procmon.xml doesn't exist anymore
2020-06-30 13:40:12,484 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:40:12,484 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:40:12,734 [root] WARNING: Folder at path "C:\entncKzthf\debugger" does not exist, skip.
2020-06-30 13:40:12,734 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-30 13:44:57 2020-06-30 13:50:41

File Details

File Name QUOTE NS-0885995 30062020.exe
File Size 719360 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-05-28 21:29:38
MD5 385c4324119139917e9582184bd33c2a
SHA1 ec03b8dfb45141ac9079bf481f83313139531fcb
SHA256 8d3e005de2a2653aa88e129673e8996751fbeb0628a2710fe0081e424a13d4ff
SHA512 17f444cdf2252ba827cf99fec70fcc459d4c95e96de47ec99c90a083beb9a2267b7b47bd0af8e40dca6055934e584a5626c1a47de3debba3f946126c6a160e06
CRC32 8C3F5B92
Ssdeep 12288:2AwUxiUTMUTRjFNSXo9wWhGk3een0usLZtT:2gISh/fLs
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 0 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 6064 trigged the Yara rule 'AgentTeslaV2'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: InstallUtil.exe tried to sleep 455.975 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/CopyFileEx
DynamicLoader: KERNEL32.dll/CopyFileExW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CreatePipe
DynamicLoader: KERNEL32.dll/CreatePipeW
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentDirectory
DynamicLoader: KERNEL32.dll/GetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetConsoleOutputCP
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/GetSystemDirectory
DynamicLoader: KERNEL32.dll/GetSystemDirectoryW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: shell32.DLL/SHGetFolderPath
DynamicLoader: shell32.DLL/SHGetFolderPathA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: KERNEL32.dll/GetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/SetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: MSCOREE.DLL/GetTokenForVTableEntry
DynamicLoader: MSCOREE.DLL/SetTargetForVTableEntry
DynamicLoader: MSCOREE.DLL/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: KERNEL32.dll/GetLastError
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: KERNEL32.dll/FindNextFile
DynamicLoader: KERNEL32.dll/FindNextFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: KERNEL32.dll/GetSystemTimeAsFileTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetDynamicTimeZoneInformation
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetFileMUIPath
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: KERNEL32.dll/FreeLibraryW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
Reads data out of its own binary image
self_read: process: QUOTE NS-0885995 30062020.exe, pid: 5376, offset: 0x00000000, length: 0x000afa00
A process created a hidden window
Process: QUOTE NS-0885995 30062020.exe -> "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
CAPE extracted potentially suspicious content
Intelx.exe: Unpacked Shellcode
QUOTE NS-0885995 30062020.exe: Unpacked Shellcode
QUOTE NS-0885995 30062020.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
Intelx.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
QUOTE NS-0885995 30062020.exe: Unpacked Shellcode
Intelx.exe: Injected Shellcode/Data
QUOTE NS-0885995 30062020.exe: Unpacked Shellcode
QUOTE NS-0885995 30062020.exe: Unpacked Shellcode
Intelx.exe: Injected Shellcode/Data
QUOTE NS-0885995 30062020.exe: Unpacked Shellcode
Intelx.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
Intelx.exe: AgentTeslaV2 Payload: 32-bit executable
Intelx.exe: AgentTeslaV2
Drops a binary and executes it
binary: C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
binary: C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe
Uses Windows utilities for basic functionality
command: "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
command: "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
command: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
command: C:\Windows\system32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
command: C:\Windows\system32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe:Zone.Identifier
Behavioural detection: Injection (Process Hollowing)
Injection: Intelx.exe(6064) -> InstallUtil.exe(3328)
Executed a process and injected code into it, probably while unpacking
Injection: Intelx.exe(6064) -> InstallUtil.exe(3328)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (464) called API GetSystemTimeAsFileTime 8727322 times
Steals private information from local Internet browsers
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
file: C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inte
data: C:\Windows\system32\pcalua.exe -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
Network activity detected but not expressed in API logs
Attempts to bypass application whitelisting by copying and executing .NET utility in a suspended state, potentially for injection
Copy: c:\users\rebecca\appdata\local\temp\quote ns-0885995 30062020.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: Intelx.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\users\rebecca\appdata\local\temp\quote ns-0885995 30062020.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: Intelx.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\users\rebecca\appdata\local\temp\quote ns-0885995 30062020.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: Intelx.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\users\rebecca\appdata\local\temp\quote ns-0885995 30062020.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: Intelx.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
CAPE detected the AgentTeslaV2 malware family
File has been identified by 15 Antiviruses on VirusTotal as malicious
FireEye: Generic.mg.385c432411913991
McAfee: Fareit-FVT!385C43241191
Sangfor: Malware
Cybereason: malicious.fb4514
BitDefenderTheta: Gen:[email protected]
F-Prot: W32/MSIL_Kryptik.AWA.gen!Eldorado
ESET-NOD32: a variant of MSIL/Injector.UWI
ClamAV: Win.Malware.AgentTesla-7660762-0
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
Ikarus: Win32.Outbreak
Cyren: W32/MSIL_Kryptik.AWA.gen!Eldorado
ZoneAlarm: UDS:DangerousObject.Multi.Generic
APEX: Malicious
Qihoo-360: Generic/HEUR/QVM03.0.3E83.Malware.Gen
Creates a copy of itself
copy: C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
Harvests credentials from local FTP client softwares
file: C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Rebecca\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe.config
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\z\5\*
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Users\Rebecca\AppData\Local\Temp\MSVCP120_CLR0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Users\Rebecca\AppData\Local\Temp\shell32.DLL
\Device\NamedPipe\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
\??\MountPointManager
C:\Users\Rebecca\AppData\Local\Temp\REG.*
C:\Users\Rebecca\AppData\Local\Temp\REG
C:\Python27\REG.*
C:\Python27\REG
C:\Python27\Scripts\REG.*
C:\Python27\Scripts\REG
C:\Windows\System32\REG.*
C:\Windows\System32\reg.COM
C:\Windows\System32\reg.exe
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe.config
C:\Users\Rebecca\AppData\Roaming
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows
C:\Users\Rebecca\AppData\Roaming\Microsoft
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.INI
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe:Zone.Identifier
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\MSVCP120_CLR0400.dll
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe.Local\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\shell32.DLL
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\xfOdIjUAZeW2afc1ff3#\*
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\OLEAUT32.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Users\Rebecca\AppData\Local\Elements Browser\User Data
C:\Users\Rebecca\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Rebecca\AppData\Local\Iridium\User Data
C:\Users\Rebecca\AppData\Local\QIP Surf\User Data
C:\Users\Rebecca\AppData\Local\Kometa\User Data
C:\Users\Rebecca\AppData\Local\Coowon\Coowon\User Data
C:\Users\Rebecca\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Rebecca\AppData\Local\CocCoc\Browser\User Data
C:\Users\Rebecca\AppData\Local\Chedot\User Data
C:\Users\Rebecca\AppData\Local\Comodo\Dragon\User Data
C:\Users\Rebecca\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Rebecca\AppData\Local\Torch\User Data
C:\Users\Rebecca\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Rebecca\AppData\Local\Vivaldi\User Data
C:\Users\Rebecca\AppData\Local\7Star\7Star\User Data
C:\Users\Rebecca\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Rebecca\AppData\Local\CentBrowser\User Data
C:\Users\Rebecca\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Rebecca\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Rebecca\AppData\Local\liebao\User Data
C:\Users\Rebecca\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Rebecca\AppData\Local\Amigo\User Data
C:\Users\Rebecca\AppData\Local\Orbitum\User Data
C:\Users\Rebecca\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Rebecca\AppData\Local\Chromium\User Data
C:\Users\Rebecca\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\*
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Program Files\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Rebecca\AppData\Roaming\Claws-mail
C:\Users\Rebecca\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\The Bat!
C:\Users\Rebecca\AppData\Local\Microsoft\Edge\User Data
C:\Users\Rebecca\AppData\Local\Temp\vaultcli.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Storage\
C:\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\FTP Navigator\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Users\Rebecca\AppData\Roaming\Psi\profiles
C:\Users\Rebecca\AppData\Roaming\Psi+\profiles
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\logins.json
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\signons.sqlite
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Rebecca\AppData\Local\Temp\Folder.lst
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\cftp\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\Users\Rebecca\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Program Files\jDownloader\config\database.script
C:\Users\Rebecca\AppData\Local\UCBrowser\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\Temp
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe.config
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
\Device\NamedPipe\
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe.config
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\FTP Navigator\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Users\Rebecca\AppData\Local\Temp\QUOTE NS-0885995 30062020.exe:Zone.Identifier
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QUOTE NS-0885995 30062020.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xe7d0pEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inte
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\QUOTE NS-0885995 30062020.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\D8C7C415
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_CURRENT_USER\Control Panel\Desktop\LanguageConfiguration
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Intelx.exe
\x8070\x1b3EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\AppID\Intelx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\7FF4B4E4
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallUtil.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
\xd7d0\xa9EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\AppID\InstallUtil.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\5F1C450F
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_USERS\S-1-5-20_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xe7d0pEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inte
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\D8C7C415
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
\x8070\x1b3EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\7FF4B4E4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
\xd7d0\xa9EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\5F1C450F
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{0365CF74-3AAC-4E1B-B48B-6BE32F81EFAA}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{06BE06E0-966E-467E-A130-121F57FF2CF1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{80E19595-3B13-456F-9DDA-359B4CD31456}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F486E2F1-8AF3-4DF2-AEEA-DDCA68039582}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Audiosrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inte
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
kernel32.dll.DeleteFileW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.LocalAlloc
[email protected]@Z
user32.dll.SetProcessDPIAware
kernel32.dll.GetEnvironmentVariableW
shlwapi.dll.PathAppendW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryExW
dwrite.dll.DWriteCreateFactory
shlwapi.dll.PathCombineW
kernel32.dll.LoadLibraryW
gdi32.dll.GdiEntry13
advapi32.dll.EventWrite
advapi32.dll.EventUnregister
ntdll.dll.NtQuerySystemInformation
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
kernel32.dll.GetTempPathW
shell32.dll.SHGetFolderPathW
kernel32.dll.CopyFileExW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptGenRandom
ole32.dll.CoCreateGuid
shell32.dll.SHGetFolderPathA
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetStdHandle
kernel32.dll.CreatePipe
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.CreateProcessW
kernel32.dll.GetConsoleOutputCP
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetFileType
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.CoUninitialize
gdiplus.dll.GdipDisposeImage
kernel32.dll.GetSystemDirectoryW
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
kernel32.dll.FreeLibrary
[email protected]@Z
msvcr120_clr0400.dll._unlock
msvcr120_clr0400.dll._lock
cryptsp.dll.CryptReleaseContext
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
kernel32.dll.SetThreadUILanguage
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.CreateProcessAsUserW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
advapi32.dll.ConvertSidToStringSidW
bcrypt.dll.BCryptGetFipsAlgorithmMode
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.GetCurrentThread
kernel32.dll.GetCurrentThreadId
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
ole32.dll.MkParseDisplayName
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
oleaut32.dll.#4
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.GetLastError
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.IIDFromString
kernel32.dll.LoadLibraryA
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
oleaut32.dll.#500
kernel32.dll.RegOpenKeyExW
oleaut32.dll.#149
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
oleaut32.dll.#200
cryptsp.dll.CryptAcquireContextA
kernel32.dll.CreateFileW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.FindNextFileW
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
oleaut32.dll.#204
oleaut32.dll.#203
oleaut32.dll.#179
oleaut32.dll.#201
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetDynamicTimeZoneInformation
kernel32.dll.GetFileMUIPath
user32.dll.LoadStringW
user32.dll.GetLastInputInfo
ole32.dll.CLSIDFromProgIDEx
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
user32.dll.GetSystemMetrics
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.StringFromCLSID
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoRevertToSelf
ole32.dll.CoSwitchCallContext
sspicli.dll.LogonUserExExW
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
"C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
C:\Windows\system32\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Inte /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Rebecca\AppData\Roaming\Microsoft\Windows\Templates\Intelx.exe"
"C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe"
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
VaultSvc

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004a05de 0x00000000 0x000b3ee6 4.0 2020-05-28 21:29:38 f34d5f2d4577ed6d9ceec516c1f5a744 f54df2a9811de7e5c4f1847bfd137771 d9ea8bbf0bc43a718e98017ec75fcc30

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x0009e5e4 0x0009e600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.10
.rsrc 0x0009e800 0x000a2000 0x00010eae 0x00011000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.11
.reloc 0x000af800 0x000b4000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.08

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000a2130 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 3.99 None
RT_GROUP_ICON 0x000b2958 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 1.98 None
RT_VERSION 0x000b296c 0x00000358 LANG_NEUTRAL SUBLANG_NEUTRAL 3.60 None
RT_MANIFEST 0x000b2cc4 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name z/5
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
PresentationFramework 4.0.0.0
System.Xaml 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0
System.Windows.Forms 4.0.0.0
System.Management 4.0.0.0
Microsoft.Build.Utilities.v4.0 4.0.0.0
cEVVUEwqFsUHTWefJBsfbIyNvvkgA 0.0.0.0
System.Core 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute Ay2#8_pY&F7j
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute 3Jy)d_S9Ks8^4
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute Ex3^q2%[email protected]
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 1997 - 20
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 9.13.17.
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute k$4J%Dx8Ho3(!Zf5
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 314062f3-da66-40b9-ba62-b612bf752c

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.SuppressIldasmAttribute
mscorlib System.Reflection.Assembly
mscorlib System.ResolveEventArgs
mscorlib System.ValueType
mscorlib System.Object
mscorlib System.IO.Stream
mscorlib System.Environment
mscorlib System.Environment/SpecialFolder
mscorlib System.Globalization.CultureInfo
mscorlib System.Text.StringBuilder
PresentationFramework System.Windows.Controls.UserControl
System.Xaml System.Windows.Markup.IComponentConnector
mscorlib System.Security.Cryptography.HashAlgorithm
mscorlib System.Collections.Generic.Dictionary`2
mscorlib System.IO.FileStream
System System.Diagnostics.Process
mscorlib System.IO.MemoryStream
mscorlib System.IDisposable
mscorlib System.IO.FileMode
mscorlib System.IO.FileAccess
mscorlib System.IO.FileShare
mscorlib System.IO.StreamReader
mscorlib System.IO.TextReader
System System.Uri
System System.UriKind
mscorlib System.Security.Cryptography.SHA256Managed
System System.Diagnostics.ProcessModule
mscorlib System.Collections.Generic.IList`1
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
System.Drawing System.Drawing.Bitmap
System.Drawing System.Drawing.Rectangle
System.Drawing System.Drawing.Image
mscorlib System.Random
System.Drawing System.Drawing.Imaging.ImageFormat
System.Drawing System.Drawing.Size
mscorlib System.Diagnostics.StackTrace
mscorlib System.Diagnostics.StackFrame
mscorlib System.InvalidOperationException
mscorlib System.Reflection.MethodBase
mscorlib System.Reflection.Module
mscorlib System.Reflection.MemberInfo
mscorlib System.Resources.ResourceManager
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
mscorlib System.Enum
System.Drawing System.Drawing.Imaging.BitmapData
mscorlib System.Threading.Tasks.Task
mscorlib System.StringComparison
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
System.Windows.Forms System.Windows.Forms.MessageBoxIcon
System.Management System.Management.ManagementObjectSearcher
System.Management System.Management.ManagementObjectCollection
System.Management System.Management.ManagementObjectCollection/ManagementObjectEnumerator
System.Management System.Management.ManagementBaseObject
mscorlib System.AppDomain
mscorlib System.Reflection.AssemblyName
mscorlib System.Reflection.Emit.AssemblyBuilder
mscorlib System.Reflection.Emit.AssemblyBuilderAccess
mscorlib System.Reflection.Emit.ModuleBuilder
mscorlib System.Reflection.Emit.MethodBuilder
mscorlib System.Reflection.MethodAttributes
mscorlib System.Reflection.CallingConventions
mscorlib System.Runtime.InteropServices.CallingConvention
mscorlib System.Runtime.InteropServices.CharSet
mscorlib System.Reflection.MethodImplAttributes
mscorlib System.Reflection.MethodInfo
mscorlib System.Exception
PresentationFramework System.Windows.MessageBoxResult
PresentationFramework System.Windows.Window
System.Drawing System.Drawing.Imaging.ImageLockMode
System.Drawing System.Drawing.Imaging.PixelFormat
mscorlib System.Array
mscorlib System.Threading.WaitHandle
mscorlib Microsoft.Win32.SafeHandles.SafeWaitHandle
PresentationFramework System.Windows.Controls.Page
Microsoft.Build.Utilities.v4.0 Microsoft.Build.Utilities.TargetDotNetFrameworkVersion
mscorlib System.ArgumentNullException
System System.IO.Compression.DeflateStream
System System.IO.Compression.CompressionMode
System System.Diagnostics.ProcessStartInfo
mscorlib System.Security.Policy.Zone
mscorlib System.Security.SecurityZone
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
mscorlib System.IO.BinaryReader
mscorlib System.Text.Encoding
mscorlib System.Decimal
mscorlib System.Collections.Hashtable
mscorlib System.RuntimeFieldHandle
mscorlib System.Attribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.STAThreadAttribute
mscorlib System.FlagsAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Security.SecuritySafeCriticalAttribute
mscorlib System.Char
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Byte
mscorlib System.UInt32
mscorlib System.Collections.IStructuralEquatable
mscorlib System.Buffer
mscorlib System.String
mscorlib System.Math
mscorlib System.Guid
mscorlib System.IFormatProvider
mscorlib System.IntPtr
mscorlib System.Int32
mscorlib System.IComparable`1
mscorlib System.IComparable
mscorlib System.IConvertible
mscorlib System.IO.Path
mscorlib System.IO.File
PresentationFramework System.Windows.Application
mscorlib System.Collections.IEnumerable
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.Collections.Generic.ICollection`1
mscorlib System.Runtime.Serialization.ISerializable
System System.ComponentModel.Component
mscorlib System.MarshalByRefObject
System.Drawing System.Drawing.Point
mscorlib System.Security.IEvidenceFactory
System.Core System.Linq.Enumerable
mscorlib System.Runtime.InteropServices.Marshal
mscorlib System.Boolean
mscorlib Microsoft.Win32.Registry
System.Windows.Forms System.Windows.Forms.MessageBox
mscorlib System.Collections.Generic.List`1
mscorlib System.IO.IOException
PresentationFramework System.Windows.MessageBox
mscorlib System.Convert
mscorlib System.BitConverter
mscorlib System.Threading.Thread
mscorlib System.ICloneable
Microsoft.Build.Utilities.v4.0 Microsoft.Build.Utilities.ToolLocationHelper
mscorlib System.IEquatable`1
mscorlib System.SByte
mscorlib System.Int16
mscorlib System.Int64
mscorlib System.Double
mscorlib System.Single
mscorlib System.UInt64
mscorlib System.UInt16
mscorlib System.DateTime
mscorlib System.Collections.ICollection
mscorlib System.Threading.Monitor

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
~E0Wuo
$RE4Q.DU~^
a<R[_
mJ3YC
~lVBs
V&_`,m"C
8F~Ne
=jG2[e
Pp">VL
}5_ov
d}4#XSEp
}0+,pw
X:(2O
SQL{)e[
){@j,
5Z /S
MJ5Z
rZ T/s
A4oa8
a8Z N
~RZ O
"Wa8N
fnZ T_H`a8
b%&8Q
xI%&8
D+a8z
lZa88
Z 28f:a8
_z^Z '
[%&8g
\EHh%+
@Wa8]
w#>E8^
Z K;y*a82
qgZ .%
ippa%
>zD+Z
j_a8"
*G%Z
iv,a%
_Z kuUDa8
@.O48U
^1MZ
)$B8K
W;{Z
ehXg%+
G1$%&8
'Dy8N
P(Z y
Z doe
XZ KAF
w.|+%+
~eM%+
v(2%&
Li&Za8
Ysd%&8f
'Dy8Y
Ysd%&8F
_Ea8]
}:%&85
tka8e
#0YNZ
rNa8t
Z.y%&8"
qZ |1(Na8
JP2%&8
p*bR
Z FN<~a8
oZa8{
~Ea8_
*-a8%
Vta8M
Z J?6sa8
,^Z X
yva8E
=Z \#^
.EZ K
Z G*-a8S
Ppa8g
6z-5(
C9r8"
Z .8?
bZ AZ
),Ea%
7\qA+
'u.8p
'u.8"
Z [7iia8
Ll%&8[
nKZ q
a=a8/
KZ 0UO
|]z8Z
mZ a8E
Z 8{R
KYGl(
lSj"Za8S
>S:Z N
?Z %@
RBw1
eW2a%
@uP%Z
N<a8Y
pO%&8
Z )ar
aHUiZ
#%ci%8
Z N|D1a8.
'x?6%&8o
16M%8
Vo%&8N
zXLZ
$R3Z
dh$)Z
5Za8K
Z 8mg
"Z YBa
.Z \C
XZ 1~
>Z pn
AiG)(
)]SZ
u/Va%
u/Va%
Qfa8c
zv%&8
u/Va%
.<a8.
j/s%&8
+S)%8
a%&8{
+S)8V
HAa8+
>(na8
X.JG8}
MXN2Z
!Z !+
drZ AwXa8
4Z )?
iOj%&8
UO[%8
{7YZ
Z 3`s
Z X,n
&la8R
m[%&8
|+fa8
o%&8x
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD`
5J<`$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bl;/D
+>U LV
`.rsrc
@.reloc
.text
!This program cannot be run in DOS mode.
FILEPRINCIPALA
AVEGHEREPACK
SUPRAVEGHEREREG
SUPRAVEGHERENSEI
SELECTIONAREHOST
PREVENIRE
CHINUI
REVEDUIVM
REVEDUISB
AMANA
INTITULARE
STABILIDOSAR
DENUMIREINST
Intelx.exe
DOSARSTm
STABILI
CHEIE
-Software\Microsoft\Windows\CurrentVersion\Run
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ak?ZCq
=)Ct`n
BiPJ
qt3q5
_GK70
hn>+~h
-fgi)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`F>~I
`##V!
G=hy*%
8Db<xG
$ldAO
`N52e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*W<=Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&aqZ
s`Z !
>QGa8
AZ V0
.;}a8G
QYsZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CZ j\
TC,Z
HL1a8
SUZ MC
fswsZ
AqZ A
d^?a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3q_Z l
S4vZ [
XZ OR
q}Z }:j
gZ n0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
7{Z D
q-ia%
+<a8d
@&Z V
gI1Z ]w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
KZ NSH;a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RZ /?
Z h(^
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:)qa8
erCAZ
;$a8C
k_<a8%
Z $m$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z h1jsa8
Yya8x
Z @*=
ToZ j|#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dZ .v*
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;ctH{@
bkbJ#
uRQMo
f_'ENB'
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
NZ JWH
Z &T
3:EZ
!JZ -Tm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
]eZ k*:
hyNZ d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-Z Pi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z %|S^a8
9NZ NQ
Z w\D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"`Z L
)Z ^b&+a8
Z Nn7$a86
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z o/u
b~ @wnWa%
@wnWa%
K!|a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
e2pa8
*^Z a
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
wZ Jd
_Z 2b,
wZ Ou-
_^a8d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 4P
E-a8#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+?Z01
_C0(G
SUm}C
9` dJ}
dt1>am
eN~F5
X1qf1
}b^hO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:(4a8T
6Z W7$
CZ {"r
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
vp9a8B
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z UXr
{Z I>
XYu7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L+u]8q
C:/Z $\m
Jo>}8
Wea8p
Z kJI
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G|a8+
hzwZ ,
@ba8p
~>Z z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%:]a8G
Z eA^
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(Ja8E
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
AfZF D
8a8a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
s!Z _W)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aZ J|
,jZa8
1s$Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
C(Yg2Ro
qhDNJ
ul(FzP
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,]UZ
?Z A=
JdOa8v
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+N,
2mGZ
AJna%
]kZ C#I
AJna%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
DMHZ X
DTa8]
Z Rc#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2Z TL
hJw`Z
Q!aZ }X
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hhZ M
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 0ig
Z 5M9
m3a8:
#8aZ
%?&/Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+Z uQn
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`3C N
*"a8L
HkXa8%
^Z 5Y
Z Mqo
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
??148P
Z `ET(a8
WZ C8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4TpZ .
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~o#"7
Q:_1Q
66*}pcG
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|2Ua8p
.Z 0>
S\-Z
@[%Z F!S
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1l>}8f
I]gZ
Z +WY
"OZ G
VZ /\
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
YXZ Mx
}Z `B
,wZ (
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aWma8
Z K-?
W-Z v
IZ OdVha(h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z Y9B
s8a8w
!?a8I
bKZ qg/
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
WtnBZ tO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ^>:aa8
i[.~89
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/4a8:
Z uz!
xy.a8+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z D'l
y(VbZ I
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hZ +Z
Z 4.Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
B^'7bI
=WO42
D'N3&
5,|n4
h<a4,
7ukXJ}1
jROis
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PkKa8
44Z M
@EZ :dl
4ga8%
!=a8f
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hBa8r
THa8T
B$-a8>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"4Z \
Z VmRAa8
m<ea8S
R*Z !
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-*kZ ,
--$a8
8"(Z
Z 2]H
sBZ
X-^:a8
6*MZ ,)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/a88t
(BUZ V
?`JZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Q&a8u
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%wa8^(
HQZ h
<XZ CbT
i'Oa8
m{U}Z D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Vk%;Z
a8"#$a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z (l0
'BR8Z
}la8w
j^Ua8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
g>a8+
j_Ga89
AOZ q
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
S|p[d
i~lr0
$!p:3\>
K-Yoaj
a";38
X()q5
_Gin$
lPom?*]
3mZA{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Vxba8
Z 4S*ta8,
=Z 3{
jxZ 7
~(a8I
Z yA&
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
..:a8
Z 588
_Z 3u
W0ma8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|.a8q
Z iL}_a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
B VTXaa%
w VTXaa%
x+%Z Y
Z w4)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>]ma8
5%a8c
clTZ
fZ >W
`Z YH
s*{5Z
Z t!YBa8Y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
UkZ l
qa8^
V,Z ,
AQa86
&Z t[U
|Sr&Z
<0oa8
Z `\q
/|"NZ V
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
a8a8G
Z >FD
WuIa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u(BZ
\zNa8
sSwa8
L~Z B
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#:UZ
& MJ4
tZ qT
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dn#R%
c7|Mk
gf&)g
]o!m7
8Sgml$
Y.#IE
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
a8)a8
%<dZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IrUa8
ZT'8!
(8!:a8
Cka8b
;Z v?
sZ J{
}Oa8`
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z yyJ
|Z cQE
"Z [Z
n"aZ \
NCZ -
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9MPa%
aNqZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z x>/wa8F
*Z 76U
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
k/Z e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*,Ya8
$IZ J
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
q{Z ~
4 Z gT
o0poa
E)a8M
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
uTa8l
pRa8%
=_~ 8\
v_1a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Yza8S
~#ia%
BZ {S
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
'+E6~]a|
!M10;
:xL"3
M/5+K
&Z/N2
KDd}5
Y*S8"U
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4o~Z V
;.Z K
95a8e
Z K_%
uV5a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cGZ 6
+tjZ
f,@Z ;v]
dsYOZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
m`Z ivA
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
m3Z d
T{>Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
KnZ 60
[}Z n
k$Ia%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Fwa8$
O|AZ
Z tKl
Z heB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
e3`a8_
Z hcZ
]D{58
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
stZ DGS
:/a87
8O)4Z /
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nd"7Z
]918>
Z js,
l Z %|/
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_z]8!*
=y[ J.
4Zr[#
?/j6V&
<c/j{
"8N7#
u0"`h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8Q8k8
ak`mZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
V|Z Q
S;a8R
?Z T[
'ovO8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bOa8i
~212e
)U=Z
td_Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(Ia8e
iaIoZ
;ifq8
KZ \k
Z ?%Nma8
:OXa8
N~wB84
Z 5 u
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Bi<Z #
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}G=a%
Z }b!
yQZ 8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bj`a8
/sZ 5
@xcg8,
Z fiB
Z XXx
0}a8-
`JCZ
aMZ n
H2tHZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"rCa8"
KDBM(
vN7G
Z ;i}
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GtZ|Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3x7mv
h{Q{*
z{yM`
c6P=8
X#:r%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ZE:#I
xB,t%
kvC^l-
"^e&<
Gd`@2H
wMpEF
a=m}cC
~p~,N
'R?Kl
2]xQD
j]@"c
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
v4.0.30319
#Strings
aC<a8Y
N"a8,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#GUID
#Blob
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
33(3"
?3(3"
K3(3"
l2Z-_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GW *}
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
oF*>l
P_6A:
C=}c(
oqddj
Gcm]o
hq>dM
%G.jFz
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!/!;!
" * 6 @ W l w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GetLastInputInfo
user32.dll
get_r
m_ThreadStaticValue
get_GetInstance
get_User
get_WebServices
Provider
m_MyWebServicesObjectProvider
get_Computer
get_Applicationsic.Devices
m_ComputerObjectProvider
m_AppObjectProvider
m_UserObjectMicrosoft.VisualBasic.ApplicationServices
Computer
Microsoft.VisualBa
Microsoft.VisualBasic
ApplicationBase
pneam
System.IO
nyscorlib
ValueType
System
.ctor
Object
.cctor
FOhLEQuOVyB.exe
<Module>
xfOdIjUAZeWYZyRBOsHCWx
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Password
get_PasswordHash
get_Password
set_Password
Value
dwTime
value__
OperatingSystemName
ProcessorName
AmountOfMemome
System.Windows.Forms
cbSiout
user32
ToUnicodeEx
GetWindowThreadProcessId
GetKeyboardLayfcl
EnumProcessModules
psapi.dll
GetModuleFileNameExWindowTextLength
GetKeyboardState
MapVirtualKey
ndWindow
StringBuilder
System.Text
GetWindowText
GetForegrounel32
GetModuleFileNameA
MoveFileExWions.Generic
MemoryStream
DeleteFile
IList`1
System.CollectentArgs
System.Timers
fsem.Drawing.Imaging
ImageFormat
ElapsedEvk
System.Drawing
ImageCodecInfo
Systm
ipboardHook
set_ClipboardHook
WithEventsValue
get_kbHook
set_kbHoo
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
BASE64
Item1
Item2
Item3
iItem1
iItem2
iItem3
List`1
v_UserName
set_UserName
get_URL
set_URL
get_Browser
set_Browser
System.Security.Cryptography
getvxe
LLKHF_ALTDOWN
LLKHF_UP
nCode
wParam
lParam
vkCode
scanCode
flags
dwExtraInfo
LLKHF_EXTENDED
LLKHF_INJECt
add_KeyDown
remove_KeyDown
add_KeyUp
remove_KeyUp
rb2.dll
CallNextHookEx
UnhookWindowsHookEx
oYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
SetWindowsHookEx
User3nvoke
DelegateAsyncResult
Invoke
WH_KEYBOARD_LL
HC_ACTION
WM_KEsyncResult
AsyncCallback
sender
DelegateCallback
DelegateAsyncState
EndIinalize
MulticastDelegate
TargetObject
TargetMethod
BeginInvoke
IAage
add_Changed
remove_Changed
WndProc
Message
SetClipboardViewer
ChangeClipboardChain
SendMessm
NativeWindow
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
objects
get_Data
set_Data
GetAsnString
Lenght
objects
_objects
_Data
get_Type
set_Type
get_Lenght
set_Lenght
get_objects
BitString
OctetString
ObjectIdentifier
Asn1DerObject
_Type
_Lenghtb
Asn1Der
Parse
dataToParse
Sequence
IntegeraluePair`2
get_Version
set_Version
get_Keys
set_Keys
FileName
KMeleon
IceCat
PaleMoon
IceDragon
WaterFox
_Version
_Keys
KeyVxe
Mozilla
Postbox
Thunderbird
SeaMonkey
Flock
BlackHawk
CyberFoje
Dictionary`2
mytring
GetPrivateProfileS
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
T(p8]
\au0,w
qBk|'
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
basntId
xqlModified
dwFlags
dwPropertiesCount
pPropertyElements
SchemaElemepResourceElement
pIdentityElement
pAuthenticatorElement
pPackageSid
Lastr
PackageSid
AppStart
AppEnd
SchemaId
pszCredentialFriendlyName
ectedArray
Attribute
Illegal
Resource
Identity
Authenticatoort
UnsignedShort
UnsignedInt
Double
String
ByteArray
TimeStamp
Prothcl
Undefined
Boolean
VaultEnumerateItems
VaultGetItem
tCloseVault
VaultFree
VaultEnumerateVaults
VaultOpenVault
vaultcli.dll
Vaulrc
iterations
Rijndael
HmacAlgorithm
sSalt
IterationCount
algorithm
passwor
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
NFO_VERSION
STATUS_AUTH_TAG_MISMATCH
BCryptOpenAlgorithmProvider
bcrITIVE_PROVIDER
BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG
BCRYPT_INIT_AUTH_MODE_IH
BCRYPT_CHAINING_MODE
BCRYPT_KEY_DATA_BLOB
BCRYPT_AES_ALGORITHM
MS_PRIMB_MAGIC
BCRYPT_OBJECT_LENGTH
BCRYPT_CHAIN_MODE_GCM
BCRYPT_AUTH_TAG_LENGTytb
ERROR_SUCCESS
BCRYPT_PAD_PSS
BCRYPT_PAD_OAEP
BCRYPT_KEY_DATA_BLOpressedSize
HeaderOffset
FileOffset
HeaderSize
Crc32
ModifyTime
Comment
Store
Deflate
Method
FilenameInZip
FileSize
duryec
DateTime
qurForceDeflating
ZipFileStream
FileAccess
RegQueryValueEx
EncodeUTF8
Handle
RegOpenKeyEx
Advapi32
RegClos
SafeHandle
System.Runtime.InteropServices
get_IsInvalid
Release
zrgle_name
root_num
sql_statement
GetVolumeInformationA
row_id
content
item_type
item_name
astab
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ompilerServices
HelpKeywordAttribute
System.ComponentModel.Design
MyGrou
HideModuleNameAttribute
StandardModuleAttribute
Microsoft.VisualBasic.Cibute
System.CodeDom.Compiler
DebuggerHiddenAttribute
System.DiagnosticsleAttribute
System.ComponentModel
EditorBrowsableState
GeneratedCodeAttrm.Runtime.CompilerServices
CompilationRelaxationsAttribute
EditorBrowsabYZyRBOsHCWxFOhLEQuOVyB
GuidAttribute
RuntimeCompatibilityAttribute
Systetwl
xfOdIjUAZeWalg
Dispose
dwMinLength
dwMaxLength
dwIncrement
pbLabel
cbLabel
bAuthData
pbTag
cbTag
pbMacContext
cbMacContext
cbAAD
cbData
zAlgId
cbSalt
IDisposable
dwInfoVersion
pbNonce
cbNonce
pbAuthData
BCryptDecrypt
BCryptDestroyKey
BCryptEncrypt
BCryptImportKey
BCryptGetProperty
BCryptSetProperty
t.dll
BCryptCloseAlgorithmProvider
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ElapsedEventHandler
add_Elapsed
CreateDirectory
DirectoryInfo
PathnmentVariable
Concat
Directory
Exists
SystemInformation
get_ComputerNamenterval
Start
Operators
CompareString
get_Location
Environment
GetEnviroep
Timer
Process
Exception
RegistryKey
Microsoft.Win32
set_Enabled
set_ITypeHandle
ToString
Activator
CreateInstance
Thread
System.Threading
Sleth
Write
GetObjectValue
Equals
GetHashCode
GetTypeFromHandle
Runtimecryptor
ICryptoTransform
TransformFinalBlock
ReadByte
get_Length
Mably
GetCallingAssembly
Create
SymmetricAlgorithm
set_Key
set_IV
CreateDeEncoding
get_UTF8
GetString
Assembly
System.Reflection
GetExecutingAssemeHelpers
InitializeArray
Array
RuntimeFieldHandle
Buffer
BlockCopy
e.ConstrainedExecution
Consistency
ParamArrayAttribute
UInt32
RuntimrityAttribute
System.Security
ReliabilityContractAttribute
System.RuntimionsAttribute
System.Runtime.ExceptionServices
SuppressUnmanagedCodeSecue
FlagsAttribute
DefaultValueAttribute
HandleProcessCorruptedStateExceptlerGeneratedAttribute
AccessedThroughPropertyAttribute
STAThreadAttributm
ollectionAttribute
ComVisibleAttribute
ThreadStaticAttribute
Compi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
llText
ServerComputer
get_Info
ConcatenateObject
Contains
DeleteValet_TickCount
Monitor
Enter
ReadAllText
EscapeDataString
AppendAFromScreen
Quality
get_Jpeg
get_Param
set_Position
Marshal
SizeOf
get_Screen
Screen
get_Bounds
get_Width
get_Height
FromImage
Image
Copycs
Encoder
EncoderParameter
EncoderParameters
Bitmap
Rectangle
Point.RegularExpressions
Split
ToArray
ToBase64String
Replace
get_Now
GraphiName
GetImageEncoders
get_FormatID
get_Guid
op_Equality
Regex
System.Text
ToDouble
Round
GetCurrentProcess
get_ProcessName
get_Id
GetProcessesBypertyValue
MoveNext
get_TotalPhysicalMemory
UInt64
Conversion
Converget_OSFullName
GetEnumerator
get_Current
ManagementBaseObject
GetPro
ManagementObject
ManagementObjectCollection
ManagementObjectEnumerator
DownloadFile
ComputerInfo
System.Management
ManagementObjectSearcherrsions
ToInteger
ToBoolean
Application
WebClient
System.Net
GetTempPutes
FileAttributes
Registry
CurrentUser
OpenSubKey
SetValue
Close
ConveName
ProjectData
SetProjectError
ClearProjectError
Delete
SetAttribm
etFullPath
GetProcesses
get_MainModule
ProcessModule
get_File
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ximumAutomaticRedirections
set_UserAgent
ServicePointManager
set_Securitequest
WebResponse
StreamReader
set_Timeout
set_AllowAutoRedirect
set_MaSubject
get_ExecutablePath
get_Millisecond
Substring
StartsWith
HttpWebRody
Collection`1
System.Collections.ObjectModel
set_IsBodyHtml
set_leName
get_Attachments
AttachmentCollection
set_Name
set_MediaType
set_BdentialsByHost
set_Port
get_ContentDisposition
ContentDisposition
set_Fipe
System.Net.Mime
set_Host
set_EnableSsl
set_UseDefaultCredentials
SmtpClient
System.Net.Mail
MailAddress
MailMessage
Attachment
ContentTyange
IEnumerable`1
Interaction
Environ
AppendLine
ThreadStart
Clearions
Enumerator
GetFolderPath
SpecialFolder
Combine
IEnumerable
AddRlCompareObjectGreater
ICollection`1
get_Count
IEnumerator
System.CollectlyObject
CompareObjectLess
NotObject
ModObject
SubtractObject
Conditionaer
get_Item
set_Item
ToGenericParameter
LateIndexGet
DivideObject
Multipth
LateSetComplex
Int32
LateCall
GetRequestStream
RNGCryptoServiceProvidntials
set_Method
GetBytes
NewLateBinding
LateGet
ToLong
set_ContentLengm
FtpWebRequest
WebRequest
NetworkCredential
set_Credentials
ICrede
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ullName
RegexOptions
get_Success
ProtectedData
Unprotect
DataProtectionSta
GetObject
Append
get_Default
IsNullOrEmpty
GetParent
get_Parent
get_Flass
Empty
GetInstances
get_Properties
PropertyDataCollection
PropertyDaroups
GroupCollection
Group
Capture
get_Value
GetDirectories
ManagementClection
GetDirectoryName
GetFileName
Match
Matches
MatchCollection
get_Gdules
Module
GetHINSTANCE
ToInt32
op_Inequality
GetRandomFileName
KeyColteHandle
get_Msg
get_LParam
get_WParam
GetType
PtrToStructure
GetMogMode
CreateEncryptor
FromBase64String
Delegate
Remove
CreateParams
CreaESCryptoServiceProvider
TripleDES
set_Mode
CipherMode
set_Padding
Paddin
UTF8Encoding
MD5CryptoServiceProvider
HashAlgorithm
ComputeHash
TripleDrd
Keyboard
get_AltKeyDown
get_CtrlKeyDown
get_CapsLock
get_ShiftKeyDownileVersionInfo
GetVersionInfo
get_ProductName
ToLower
ToUpper
get_Keyboaext
EndsWith
GetProcessById
IntPtr
get_Handle
op_Explicit
get_Capacity
FFlush
get_Clipboard
ClipboardProxy
Microsoft.VisualBasic.MyServices
GetTs
set_KeepAlive
set_ContentType
GetResponse
GetResponseStream
ReadToEnd
rotocol
SecurityProtocolType
CredentialCache
get_DefaultCredential
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
seShellExecute
set_CreateNoWindow
WaitForExit
get_StandardOutput
StringCtartInfo
ProcessStartInfo
set_Arguments
set_RedirectStandardOutput
set_UetCharCount
GetChars
BitConverter
ToInt16
ReadLine
get_EndOfStream
get_SEqual
ConditionalCompareObjectLess
Floor
Initialize
Decoder
GetDecoder
ToChar
Random
FileStream
FileMode
FileShare
ConditionalCompareObjectFileSystem
FileAttribute
StringSplitOptions
ReadAllBytes
XorObjscapeDataString
Format
get_Chars
IndexOf
ToCharArray
Information
UBound
get_ItemOf
XmlElement
get_InnerText
get_Unicode
Resize
AddObject
UneInStr
ToByte
System.Xml
XmlDocument
XmlNodeList
XmlNode
get_ChildNoeSet
Escape
Strings
CompareMethod
StringType
MidStmtStr
eadAllLines
get_Values
RijndaelManaged
ChangeType
Rfc2898DeriveBytes
Lattion
GetSubKeyNames
TrimEnd
get_Registry
RegistryProxy
ValueCollection
RSecurityIdentifier
System.Security.Principal
ReadInt32
GetFiles
SearchOpal
get_Size
GetField
GetValue
ReadInt16
Int16
ReadIntPtr
PtrToStringUni
areObjectNotEqual
ToInt64
ContainsKey
ConditionalCompareObjectGreaterEqum
FieldInfo
get_OSVersion
OperatingSystem
Version
ConditionalComp
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
yptographicException
t_Minute
get_Hour
get_Day
get_Month
get_Year
AllocHGlobal
FreeHGlobal
Crystem.IO.Compression
CompressionMode
SetLength
get_CanSeek
get_Second
geriteTime
DirectorySeparatorChar
LastIndexOf
get_Position
DeflateStream
Sget_FileSystem
FileSystemProxy
handle
InvalidOperationException
GetLastWt16
Utils
CopyArray
LTrim
CompareTo
CreateProjectError
CreateObject
Int64
get_BigEndianUnicode
ToULong
Subtract
Multiply
ToUInt64
ToUIndObject
CompareObjectEqual
CompareObjectGreater
OrObject
Decimal
Comparer
SHA1CryptoServiceProvider
HMACSHA1
HMACSHA256
CompareObjectNotEqual
System.Globalization
get_InvariantCulture
NumberStyles
IFormatProvideeverse
AppendFormat
get_HashSize
IsLittleEndian
get_Key
get_IV
CultureInm
parison
BinaryReader
OpenRead
get_BaseStream
get_ASCII
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
i;\L>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
'o/D.K
BV=+4
%8?{6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ClipboardHook
kbHook
ols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
My.User
My.WebServices
4System.Web.Services.Protoc
MyTemplate
14.0.0.0
My.Computer
My.Application
a-9bd1-2a6a45a93400
WrapNonExceptionThrows
$474e89d2-0c8d-4f7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_CorExeMain
mscoree.d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>"1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion=
<?xml version="1.0" encoding="UTF-8" standalone="yes
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
NUMEROTAREFILE
DISPAREA
NUMEFILADISPARUTA
Disabled permanen
mbly>
</requestedPrivileges>
</security>
</trustInfo>
</asse
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"An{^
s}1+T
L>.dD](X
13 8h
4,<O9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
K/&B}
(\465"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|bz4{Tg
lNr|dT
r2l,P^Or\
v5pG8
L)9'lWl<
@pl2V
1&,b/
h(<GI
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
y+tqV
Uj,5H
Rqp,/4y
7"sxDG
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
N0xPT
va]]k!
xr?NI
N4x|$z
0t,9sb
V2_'.
);o7_
Cqo7?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
fPl.>
v+H"\
2u=n]Q
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<>#0=
O4hYuF
eUPI7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}?4e+
drM~$
aT>XM#w
^&~V~(D
Ek~JG
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hTT0/F
^-1}kN
AwceMK
9)O`9O
'2^~X(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_ueU:
#\cPw
{2=\!
fv6Gy
9TySn
vwsO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
P?a%w9b7
H!7'_p
63#~j
U3On$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%rNVJ
1T9",d
I()D`
p=^nu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hGqQ3
Q+RwjE(
ol7UH
pO!.J
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
uYDVS
k[P=\
+)'OS
G'/N:5F$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,faM4
|seJN
puG]B
r3"y2
.kZux
OmNsG
kO.t)S2
B|*fT
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VtCzj
;/iWRx?w.
'$EYEMW
x'{SC
LoL;l{W
i+y8S
y[Z-mJ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
RR/z8
Auk{{
PD>OK
WOeAIs
c(d-X
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>UAya9
EO7X>L
edr[RK
@uE?-
P#n<<
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dtLve
TWtni
S\Dcg2
R/OA"
,#=ya
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
{KSO!$!S
~R?NP
qjY$h
Ij3<!
&4`@,
[c&g=
bd#K_
;;/{+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}A<{<
zlxS1
*2yX+
!`7,g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GR.fF
2j~$\C
mmkQY
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
c_9+y`
{YnFSo
:2`6:
qH8Ol
T}*#W
{(u|g)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
o8a^f
-GNnZ
aNHfq
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ke_<K
;&27Z
quxRz
Jr!Iq
+we64+
pi".Ek
>}x/=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\*aFb
;Ioet
pZ-JzA
aM[3!
P\Hdq|
_kr;^r
TAFxd
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
vMjh(
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3iw+"
(.m(o
<f4AW
Q,c]c
UenESg
7LSD:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$jp'mH
]m;ZW~
K]{B6
H,\&^]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)1=K:R
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L`7$r
S!}nK>
;ax5M
cj9Vq
6Pkn4E
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.[`Z p
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>}Z l
.9<Z xw
Hna8p
mZ l-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
EA26"f
7go#T!
)xT^U
{#O|h
N~ZH'
)<!iD
dI}gj+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rnQa8
vZ 's3La8T
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ip4a8J
&J9a8
Z [@~
tZ wn
Z "b3
GLT.Z
)?F%8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
a57Z a
ZhZ &
Z O"lqa8x
YqZ N
%MZ 2
\Qa8H
0Z QR
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
F^a8\
!|a8a
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z dk;
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z @Cw
B90a8
cj tc
~/Z P
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5Z D9
Ib)Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tk9Y
rp$a%
yZ 3Y|Ga8
FMa8~
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
qgEa8f
tFL28
;Ka8e
H<a8`
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
UEZ
m?!8y
bJZa%
DxJhZ .
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hw$gJ`
A4+d6
v4_Lm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aZa8}
Z {!y
@(ha%
^&uZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
HZ 7\
R%^Z
{Z d]_Va8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
eZ U!
Z 'qd2a8
Z s&V
>cyHZ [
Y/a8k
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~Gb sw
<`X sw
'#VZ
m)QXa%
X m)QXa%
*qMsZ I)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1Z{kR
L?k4a8;
7Aa8{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 2KE
Z a1{
|>kZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#'yZ ^
qZ )a5ta8
~`>a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
sbN]a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$7Z m
6Z M_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
OK|>t
<MD6_Ju
'[ \C
\tx.890]
kTwAP
r0Zr|
Z=ly+
m8}18
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Qnia8O
~Ra8`
vZ zF.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
09Z L
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(6{Z (<
, nxC
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
LiZa8l
yt&KZ zk
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
?#&4Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
l, 6a
DHma%
X|Z 6
Poa8Z
('Za8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(+Ia%
>sT1Z m
p* 9m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z jK1Ua8
SL!a8
>kCZ
KLZ ,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=eZ P
Z ^vr
1ymDZ j
v4.0.30319
#Strings
#GUID
#Blob
Microsoft.Build.Utilities.v4.0
Form0
get_Scan0
IComparable`1
IEnumerable`1
IEquatable`1
ICollection`1
IList`1
kernel32
Microsoft.Win32
ReadUInt32
ToUInt32
ReadInt32
ToInt32
Dictionary`2
ReadUInt64
ReadInt64
ReadUInt16
ReadInt16
ToInt16
get_UTF8
<Module>
cEVVUEwqFsUHTWefJBsfbIyNvvkgA
System.IO
value__
BitmapData
mscorlib
System.Collections.Generic
GetProcessById
Thread
SHA256Managed
Synchronized
ReadToEnd
Append
UriKind
DefinePInvokeMethod
GetMethod
Replace
StackTrace
CreateInstance
get_ExitCode
FileMode
ImageLockMode
CompressionMode
Image
EndInvoke
BeginInvoke
ICloneable
IComparable
IEnumerable
IDisposable
IStructuralEquatable
Hashtable
ISerializable
IConvertible
ReadDouble
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
set_SafeWaitHandle
Rectangle
ReadSingle
DeleteFile
get_Module
DefineDynamicModule
get_MainModule
ProcessModule
get_FileName
GetRandomFileName
get_ModuleName
GetProcessesByName
AssemblyName
StackFrame
DateTime
WaitOne
get_NewLine
Combine
get_SecurityZone
ValueType
GetType
GetElementType
FileShare
System.Core
get_CurrentCulture
MethodBase
ApplicationSettingsBase
Close
Dispose
MulticastDelegate
EditorBrowsableState
Delete
Write
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
SecuritySafeCriticalAttribute
SuppressIldasmAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
ThemeInfoAttribute
FlagsAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
set_UseShellExecute
ReadSByte
ReadByte
GetValue
get_Size
SizeOf
System.Threading
Encoding
System.Drawing.Imaging
System.Runtime.Versioning
ReadString
ToString
GetString
System.Drawing
ComputeHash
GetFullPath
GetTempPath
GetFolderPath
get_Length
AsyncCallback
PresentationFramework
GetPathToDotNetFramework
Marshal
ReadDecimal
System.ComponentModel
advapi32.dll
kernel32.dll
System.Xaml
UserControl
CreateFromUrl
FileStream
DeflateStream
MemoryStream
get_Item
set_Item
System
HashAlgorithm
Random
ReadBoolean
AppDomain
get_CurrentDomain
MessageBoxIcon
GetFileNameWithoutExtension
TargetDotNetFrameworkVersion
System.IO.Compression
Application
get_Location
ResourceDictionaryLocation
System.Configuration
System.Globalization
System.Runtime.Serialization
System.Reflection
ICollection
ManagementObjectCollection
op_Addition
set_Position
CallingConvention
IOException
ArgumentNullException
InvalidOperationException
get_InnerException
StringComparison
Intern
CopyTo
MethodInfo
CultureInfo
MemberInfo
set_StartInfo
ProcessStartInfo
Bitmap
Sleep
get_Bmp
System.Windows.Markup
System.Linq
ReadChar
ToChar
StreamReader
TextReader
BinaryReader
IFormatProvider
MethodBuilder
ModuleBuilder
StringBuilder
AssemblyBuilder
SpecialFolder
GetBuffer
ResourceManager
ManagementObjectSearcher
System.CodeDom.Compiler
ToolLocationHelper
CreateProcessAsUser
Enter
BitConverter
ToLower
ManagementObjectEnumerator
GetEnumerator
.ctor
.cctor
IComponentConnector
Monitor
IntPtr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
q^vWG)ENl1my|A8DN:Gu0`O6.resources
lelea.g.resources
20cffb4bad76fe1fc7f47b11c7a774e9.Resources.resources
Microsoft.Build.Utilities
ExpandEnvironmentVariables
Microsoft.Win32.SafeHandles
GetFrames
GetProcesses
MethodAttributes
MethodImplAttributes
ReadBytes
WriteAllBytes
GetBytes
NextBytes
SetImplementationFlags
ResolveEventArgs
System.Threading.Tasks
Equals
System.Windows.Controls
System.Windows.Forms
Contains
System.Collections
CreateGlobalFunctions
CallingConventions
MessageBoxButtons
get_Chars
RuntimeHelpers
FileAccess
AssemblyBuilderAccess
GetCurrentProcess
get_BaseAddress
LockBits
UnlockBits
Exists
System.Windows
Concat
AppendFormat
ImageFormat
PixelFormat
ManagementBaseObject
MarshalByRefObject
GetObject
Connect
CharSet
op_Explicit
System.Reflection.Emit
Default
IAsyncResult
DialogResult
MessageBoxResult
ToUpperInvariant
System.Management
Environment
LoadComponent
InitializeComponent
get_Current
Point
get_Count
Start
Insert
Convert
FailFast
set_RedirectStandardOutput
MoveNext
System.Text
WriteAllText
set_CreateNoWindow
CopyFileEx
MessageBox
Delay
InitializeArray
ToArray
ToCharArray
System.Security.Policy
ContainsKey
System.Security.Cryptography
get_Assembly
DefineDynamicAssembly
GetEntryAssembly
BlockCopy
FromBinary
IEvidenceFactory
Registry
set_Capacity
op_Equality
System.Security
IsNullOrEmpty
Ay2#8_pY&F7jx!
3Jy)d_S9Ks8^4E&
WrapNonExceptionThrows
Copyright
1997 - 2019
9.13.17.22
.NETFramework,Version=v4.6
FrameworkDisplayName
.NET Framework 4.6
k$4J%Dx8Ho3(!Zf5y2
$314062f3-da66-40b9-ba62-b612bf752c4b
PresentationBuildTasks
4.0.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
be68221d80f88582c7faa3bba59edc5a
d152ea7be28f2559e17a914d90350d0a0
d152ea7be28f2559e17a914d90350d0a1
d152ea7be28f2559e17a914d90350d0a10
d152ea7be28f2559e17a914d90350d0a100
d152ea7be28f2559e17a914d90350d0a101
d152ea7be28f2559e17a914d90350d0a102
d152ea7be28f2559e17a914d90350d0a103
d152ea7be28f2559e17a914d90350d0a104
d152ea7be28f2559e17a914d90350d0a105
d152ea7be28f2559e17a914d90350d0a106
d152ea7be28f2559e17a914d90350d0a107
d152ea7be28f2559e17a914d90350d0a108
d152ea7be28f2559e17a914d90350d0a109
d152ea7be28f2559e17a914d90350d0a11
d152ea7be28f2559e17a914d90350d0a110
d152ea7be28f2559e17a914d90350d0a111
d152ea7be28f2559e17a914d90350d0a112
d152ea7be28f2559e17a914d90350d0a113
d152ea7be28f2559e17a914d90350d0a114
d152ea7be28f2559e17a914d90350d0a115
d152ea7be28f2559e17a914d90350d0a116
d152ea7be28f2559e17a914d90350d0a117
d152ea7be28f2559e17a914d90350d0a118
d152ea7be28f2559e17a914d90350d0a119
d152ea7be28f2559e17a914d90350d0a12
d152ea7be28f2559e17a914d90350d0a120
d152ea7be28f2559e17a914d90350d0a121
d152ea7be28f2559e17a914d90350d0a122
d152ea7be28f2559e17a914d90350d0a123
d152ea7be28f2559e17a914d90350d0a124
d152ea7be28f2559e17a914d90350d0a125
d152ea7be28f2559e17a914d90350d0a126
d152ea7be28f2559e17a914d90350d0a127
d152ea7be28f2559e17a914d90350d0a128
d152ea7be28f2559e17a914d90350d0a129
d152ea7be28f2559e17a914d90350d0a13
d152ea7be28f2559e17a914d90350d0a130
d152ea7be28f2559e17a914d90350d0a131
d152ea7be28f2559e17a914d90350d0a132
d152ea7be28f2559e17a914d90350d0a133
d152ea7be28f2559e17a914d90350d0a134
d152ea7be28f2559e17a914d90350d0a135
d152ea7be28f2559e17a914d90350d0a136
d152ea7be28f2559e17a914d90350d0a137
d152ea7be28f2559e17a914d90350d0a138
d152ea7be28f2559e17a914d90350d0a139
d152ea7be28f2559e17a914d90350d0a14
d152ea7be28f2559e17a914d90350d0a140
d152ea7be28f2559e17a914d90350d0a141
d152ea7be28f2559e17a914d90350d0a142
d152ea7be28f2559e17a914d90350d0a143
d152ea7be28f2559e17a914d90350d0a144
d152ea7be28f2559e17a914d90350d0a145
d152ea7be28f2559e17a914d90350d0a146
d152ea7be28f2559e17a914d90350d0a147
d152ea7be28f2559e17a914d90350d0a148
d152ea7be28f2559e17a914d90350d0a149
d152ea7be28f2559e17a914d90350d0a15
d152ea7be28f2559e17a914d90350d0a150
d152ea7be28f2559e17a914d90350d0a151
d152ea7be28f2559e17a914d90350d0a152
d152ea7be28f2559e17a914d90350d0a153
d152ea7be28f2559e17a914d90350d0a154
d152ea7be28f2559e17a914d90350d0a155
d152ea7be28f2559e17a914d90350d0a156
d152ea7be28f2559e17a914d90350d0a157
d152ea7be28f2559e17a914d90350d0a158
d152ea7be28f2559e17a914d90350d0a159
d152ea7be28f2559e17a914d90350d0a16
d152ea7be28f2559e17a914d90350d0a160
d152ea7be28f2559e17a914d90350d0a161
d152ea7be28f2559e17a914d90350d0a162
d152ea7be28f2559e17a914d90350d0a163
d152ea7be28f2559e17a914d90350d0a164
d152ea7be28f2559e17a914d90350d0a165
d152ea7be28f2559e17a914d90350d0a166
d152ea7be28f2559e17a914d90350d0a167
d152ea7be28f2559e17a914d90350d0a168
d152ea7be28f2559e17a914d90350d0a169
d152ea7be28f2559e17a914d90350d0a17
d152ea7be28f2559e17a914d90350d0a170
d152ea7be28f2559e17a914d90350d0a171
d152ea7be28f2559e17a914d90350d0a172
d152ea7be28f2559e17a914d90350d0a173
d152ea7be28f2559e17a914d90350d0a174
d152ea7be28f2559e17a914d90350d0a175
d152ea7be28f2559e17a914d90350d0a176
d152ea7be28f2559e17a914d90350d0a177
d152ea7be28f2559e17a914d90350d0a178
d152ea7be28f2559e17a914d90350d0a179
d152ea7be28f2559e17a914d90350d0a18
d152ea7be28f2559e17a914d90350d0a180
d152ea7be28f2559e17a914d90350d0a181
d152ea7be28f2559e17a914d90350d0a182
d152ea7be28f2559e17a914d90350d0a183
d152ea7be28f2559e17a914d90350d0a184
d152ea7be28f2559e17a914d90350d0a185
d152ea7be28f2559e17a914d90350d0a186
d152ea7be28f2559e17a914d90350d0a187
d152ea7be28f2559e17a914d90350d0a188
d152ea7be28f2559e17a914d90350d0a189
d152ea7be28f2559e17a914d90350d0a19
d152ea7be28f2559e17a914d90350d0a190
d152ea7be28f2559e17a914d90350d0a191
d152ea7be28f2559e17a914d90350d0a192
d152ea7be28f2559e17a914d90350d0a193
d152ea7be28f2559e17a914d90350d0a194
d152ea7be28f2559e17a914d90350d0a195
d152ea7be28f2559e17a914d90350d0a196
d152ea7be28f2559e17a914d90350d0a197
d152ea7be28f2559e17a914d90350d0a198
d152ea7be28f2559e17a914d90350d0a199
d152ea7be28f2559e17a914d90350d0a2
d152ea7be28f2559e17a914d90350d0a20
d152ea7be28f2559e17a914d90350d0a200
d152ea7be28f2559e17a914d90350d0a201
d152ea7be28f2559e17a914d90350d0a202
d152ea7be28f2559e17a914d90350d0a203
d152ea7be28f2559e17a914d90350d0a204
d152ea7be28f2559e17a914d90350d0a205
d152ea7be28f2559e17a914d90350d0a206
d152ea7be28f2559e17a914d90350d0a207
d152ea7be28f2559e17a914d90350d0a208
d152ea7be28f2559e17a914d90350d0a209
d152ea7be28f2559e17a914d90350d0a21
d152ea7be28f2559e17a914d90350d0a210
d152ea7be28f2559e17a914d90350d0a211
d152ea7be28f2559e17a914d90350d0a212
d152ea7be28f2559e17a914d90350d0a213
d152ea7be28f2559e17a914d90350d0a214
d152ea7be28f2559e17a914d90350d0a215
d152ea7be28f2559e17a914d90350d0a216
d152ea7be28f2559e17a914d90350d0a217
d152ea7be28f2559e17a914d90350d0a218
d152ea7be28f2559e17a914d90350d0a219
d152ea7be28f2559e17a914d90350d0a22
d152ea7be28f2559e17a914d90350d0a220
d152ea7be28f2559e17a914d90350d0a221
d152ea7be28f2559e17a914d90350d0a222
d152ea7be28f2559e17a914d90350d0a223
d152ea7be28f2559e17a914d90350d0a224
d152ea7be28f2559e17a914d90350d0a225
d152ea7be28f2559e17a914d90350d0a226
d152ea7be28f2559e17a914d90350d0a227
d152ea7be28f2559e17a914d90350d0a228
d152ea7be28f2559e17a914d90350d0a229
d152ea7be28f2559e17a914d90350d0a23
d152ea7be28f2559e17a914d90350d0a230
d152ea7be28f2559e17a914d90350d0a231
d152ea7be28f2559e17a914d90350d0a232
d152ea7be28f2559e17a914d90350d0a233
d152ea7be28f2559e17a914d90350d0a234
d152ea7be28f2559e17a914d90350d0a235
d152ea7be28f2559e17a914d90350d0a236
d152ea7be28f2559e17a914d90350d0a237
d152ea7be28f2559e17a914d90350d0a238
d152ea7be28f2559e17a914d90350d0a239
d152ea7be28f2559e17a914d90350d0a24
d152ea7be28f2559e17a914d90350d0a240
d152ea7be28f2559e17a914d90350d0a241
d152ea7be28f2559e17a914d90350d0a242
d152ea7be28f2559e17a914d90350d0a243
d152ea7be28f2559e17a914d90350d0a244
d152ea7be28f2559e17a914d90350d0a245
d152ea7be28f2559e17a914d90350d0a246
d152ea7be28f2559e17a914d90350d0a247
d152ea7be28f2559e17a914d90350d0a248
d152ea7be28f2559e17a914d90350d0a25
d152ea7be28f2559e17a914d90350d0a26
d152ea7be28f2559e17a914d90350d0a27
d152ea7be28f2559e17a914d90350d0a28
d152ea7be28f2559e17a914d90350d0a29
d152ea7be28f2559e17a914d90350d0a3
d152ea7be28f2559e17a914d90350d0a30
d152ea7be28f2559e17a914d90350d0a31
d152ea7be28f2559e17a914d90350d0a32
d152ea7be28f2559e17a914d90350d0a33
d152ea7be28f2559e17a914d90350d0a34
d152ea7be28f2559e17a914d90350d0a35
d152ea7be28f2559e17a914d90350d0a36
d152ea7be28f2559e17a914d90350d0a37
d152ea7be28f2559e17a914d90350d0a38
d152ea7be28f2559e17a914d90350d0a39
d152ea7be28f2559e17a914d90350d0a4
d152ea7be28f2559e17a914d90350d0a40
d152ea7be28f2559e17a914d90350d0a41
d152ea7be28f2559e17a914d90350d0a42
d152ea7be28f2559e17a914d90350d0a43
d152ea7be28f2559e17a914d90350d0a44
d152ea7be28f2559e17a914d90350d0a45
d152ea7be28f2559e17a914d90350d0a46
d152ea7be28f2559e17a914d90350d0a47
d152ea7be28f2559e17a914d90350d0a48
d152ea7be28f2559e17a914d90350d0a49
d152ea7be28f2559e17a914d90350d0a5
d152ea7be28f2559e17a914d90350d0a50
d152ea7be28f2559e17a914d90350d0a51
d152ea7be28f2559e17a914d90350d0a52
d152ea7be28f2559e17a914d90350d0a53
d152ea7be28f2559e17a914d90350d0a54
d152ea7be28f2559e17a914d90350d0a55
d152ea7be28f2559e17a914d90350d0a56
d152ea7be28f2559e17a914d90350d0a57
d152ea7be28f2559e17a914d90350d0a58
d152ea7be28f2559e17a914d90350d0a59
d152ea7be28f2559e17a914d90350d0a6
d152ea7be28f2559e17a914d90350d0a60
d152ea7be28f2559e17a914d90350d0a61
d152ea7be28f2559e17a914d90350d0a62
d152ea7be28f2559e17a914d90350d0a63
d152ea7be28f2559e17a914d90350d0a64
d152ea7be28f2559e17a914d90350d0a65
d152ea7be28f2559e17a914d90350d0a66
d152ea7be28f2559e17a914d90350d0a67
d152ea7be28f2559e17a914d90350d0a68
d152ea7be28f2559e17a914d90350d0a69
d152ea7be28f2559e17a914d90350d0a7
d152ea7be28f2559e17a914d90350d0a70
d152ea7be28f2559e17a914d90350d0a71
d152ea7be28f2559e17a914d90350d0a72
d152ea7be28f2559e17a914d90350d0a73
d152ea7be28f2559e17a914d90350d0a74
d152ea7be28f2559e17a914d90350d0a75
d152ea7be28f2559e17a914d90350d0a76
d152ea7be28f2559e17a914d90350d0a77
d152ea7be28f2559e17a914d90350d0a78
d152ea7be28f2559e17a914d90350d0a79
d152ea7be28f2559e17a914d90350d0a8
d152ea7be28f2559e17a914d90350d0a80
d152ea7be28f2559e17a914d90350d0a81
d152ea7be28f2559e17a914d90350d0a82
d152ea7be28f2559e17a914d90350d0a83
d152ea7be28f2559e17a914d90350d0a84
d152ea7be28f2559e17a914d90350d0a85
d152ea7be28f2559e17a914d90350d0a86
d152ea7be28f2559e17a914d90350d0a87
d152ea7be28f2559e17a914d90350d0a88
d152ea7be28f2559e17a914d90350d0a89
d152ea7be28f2559e17a914d90350d0a9
d152ea7be28f2559e17a914d90350d0a90
d152ea7be28f2559e17a914d90350d0a91
d152ea7be28f2559e17a914d90350d0a92
d152ea7be28f2559e17a914d90350d0a93
d152ea7be28f2559e17a914d90350d0a94
d152ea7be28f2559e17a914d90350d0a95
d152ea7be28f2559e17a914d90350d0a96
d152ea7be28f2559e17a914d90350d0a97
d152ea7be28f2559e17a914d90350d0a98
d152ea7be28f2559e17a914d90350d0a99
>BACADAEA
&+&,&-&.&0/1/2/3/4/657585:9;:<:>=?>@
"!'&(&)(*
mnvpswc
rajzul
zength
know database format
ComputeHash
Lsh, version 2, native byte-order)
Un61561
Berkelet DB
00000002
1.85 (H
tuvwxyz
JKLMNOPQRSTUVWXYZabcdefghijklmnopqrs
+-0123456789ABCDEFGH
logins
=0.0.0.0
sVersion
0.0.0.0
Assembly Version
ZyRBOsHCWxFOhLEQuOVyB.exe
Productt
OriginalFilename
xfOdIjUAZeWYHCWxFOhLEQuOVyB.exe
LegalCopyrigh0
InternalName
xfOdIjUAZeWYZyRBOsescription
FileVersion
0.0.0.
StringFileInfo
000004b0
FileDD
VarFileInfo
Translation
ION_INFO
VS_VER
1!1%11
$#&%.-
Isolator
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
3Jy)d_S9Ks8^4E&
CompanyName
FileDescription
Ay2#8_pY&F7jx!
FileVersion
9.13.17.22
InternalName
DONEOZD.exe
LegalCopyright
Copyright
1997 - 2019
OriginalFilename
DONEOZD.exe
ProductName
Ay2#8_pY&F7jx!
ProductVersion
9.13.17.22
Assembly Version
0.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Clean MicroWorld-eScan Clean
FireEye Generic.mg.385c432411913991 CAT-QuickHeal Clean McAfee Fareit-FVT!385C43241191
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason malicious.fb4514 TrendMicro Clean
BitDefenderTheta Gen:[email protected] F-Prot W32/MSIL_Kryptik.AWA.gen!Eldorado Symantec Clean
ESET-NOD32 a variant of MSIL/Injector.UWI Zoner Clean TrendMicro-HouseCall Clean
TotalDefense Clean Avast Clean ClamAV Win.Malware.AgentTesla-7660762-0
Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean NANO-Antivirus Clean
Paloalto generic.ml AegisLab Clean Rising Clean
Endgame Clean Sophos Clean Comodo Clean
F-Secure Clean Baidu Clean VIPRE Clean
Invincea Clean SentinelOne Clean Trapmine Clean
CMC Clean Emsisoft Clean Ikarus Win32.Outbreak
Cyren W32/MSIL_Kryptik.AWA.gen!Eldorado Jiangmin Clean Webroot Clean
Avira Clean Fortinet Clean Antiy-AVL Clean
Kingsoft Clean Arcabit Clean ViRobot Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean Microsoft Clean
Cynet Clean AhnLab-V3 Clean Acronis Clean
VBA32 Clean ALYac Clean TACHYON Clean
Ad-Aware Clean Malwarebytes Clean APEX Malicious
Tencent Clean Yandex Clean MAX Clean
eGambit Clean GData Clean MaxSecure Clean
AVG Clean Panda Clean CrowdStrike Clean
Qihoo-360 Generic/HEUR/QVM03.0.3E83.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 64006 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion Credential Access Collection Execution Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1129 - Execution through Module Load
    • Signature - dropper
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun

    Processing ( 44.064 seconds )

    • 36.743 BehaviorAnalysis
    • 5.372 Suricata
    • 0.726 Static
    • 0.475 CAPE
    • 0.204 static_dotnet
    • 0.179 VirusTotal
    • 0.12 Deduplicate
    • 0.08 TargetInfo
    • 0.066 Dropped
    • 0.037 AnalysisInfo
    • 0.033 NetworkAnalysis
    • 0.014 Strings
    • 0.007 Debug
    • 0.007 peid
    • 0.001 ProcDump

    Signatures ( 2.2389999999999963 seconds )

    • 0.346 antiav_detectreg
    • 0.125 infostealer_ftp
    • 0.115 territorial_disputes_sigs
    • 0.084 Locky_behavior
    • 0.076 stealth_timeout
    • 0.073 Doppelganging
    • 0.071 antianalysis_detectreg
    • 0.071 infostealer_im
    • 0.067 decoy_document
    • 0.061 lsass_credential_dumping
    • 0.058 api_spamming
    • 0.051 InjectionCreateRemoteThread
    • 0.05 injection_createremotethread
    • 0.046 NewtWire Behavior
    • 0.043 masquerade_process_name
    • 0.039 antivm_vbox_keys
    • 0.03 injection_runpe
    • 0.03 antiav_detectfile
    • 0.029 InjectionInterProcess
    • 0.028 InjectionProcessHollowing
    • 0.026 antivm_vmware_keys
    • 0.026 infostealer_mail
    • 0.025 antivm_generic_disk
    • 0.022 injection_explorer
    • 0.021 mimics_filetime
    • 0.019 antivm_parallels_keys
    • 0.019 antivm_xen_keys
    • 0.019 infostealer_bitcoin
    • 0.018 exec_crash
    • 0.018 reads_self
    • 0.017 guloader_apis
    • 0.017 virus
    • 0.016 infostealer_browser
    • 0.016 stealth_file
    • 0.016 antianalysis_detectfile
    • 0.016 ransomware_files
    • 0.014 antidebug_guardpages
    • 0.014 antivm_generic_scsi
    • 0.014 exploit_heapspray
    • 0.013 Unpacker
    • 0.013 antiemu_wine_func
    • 0.013 bootkit
    • 0.013 antivm_generic_diskreg
    • 0.013 antivm_vbox_files
    • 0.012 dynamic_function_loading
    • 0.012 antivm_vpc_keys
    • 0.012 geodo_banking_trojan
    • 0.01 hancitor_behavior
    • 0.01 malicious_dynamic_function_loading
    • 0.01 ransomware_extensions
    • 0.009 infostealer_browser_password
    • 0.009 predatorthethief_files
    • 0.009 qulab_files
    • 0.008 kovter_behavior
    • 0.007 stack_pivot
    • 0.006 antivm_generic_services
    • 0.006 antivm_vbox_libs
    • 0.006 betabot_behavior
    • 0.006 dyre_behavior
    • 0.006 kibex_behavior
    • 0.006 OrcusRAT Behavior
    • 0.006 vawtrak_behavior
    • 0.006 antivm_xen_keys
    • 0.006 antivm_hyperv_keys
    • 0.006 bypass_firewall
    • 0.005 PlugX
    • 0.005 antiav_avast_libs
    • 0.005 exploit_getbasekerneladdress
    • 0.005 persistence_autorun
    • 0.005 blackrat_registry_keys
    • 0.005 recon_programs
    • 0.005 shifu_behavior
    • 0.005 antidbg_devices
    • 0.004 exploit_gethaldispatchtable
    • 0.004 hawkeye_behavior
    • 0.004 antivm_vmware_files
    • 0.004 ketrican_regkeys
    • 0.004 limerat_regkeys
    • 0.003 antiav_bullgaurd_libs
    • 0.003 antidbg_windows
    • 0.003 antisandbox_sunbelt_libs
    • 0.003 network_tor
    • 0.003 antivm_generic_bios
    • 0.003 antivm_generic_system
    • 0.003 darkcomet_regkeys
    • 0.003 masslogger_files
    • 0.003 recon_fingerprint
    • 0.002 antiav_bitdefender_libs
    • 0.002 antiav_emsisoft_libs
    • 0.002 antiav_qurb_libs
    • 0.002 antiav_apioverride_libs
    • 0.002 antiav_nthookengine_libs
    • 0.002 antisandbox_sboxie_libs
    • 0.002 uac_bypass_eventvwr
    • 0.002 encrypted_ioc
    • 0.002 Vidar Behavior
    • 0.002 ipc_namedpipe
    • 0.002 kazybot_behavior
    • 0.002 office_com_load
    • 0.002 neshta_files
    • 0.002 antivm_vbox_devices
    • 0.002 browser_security
    • 0.002 codelux_behavior
    • 0.002 disables_browser_warn
    • 0.002 medusalocker_regkeys
    • 0.002 rat_pcclient
    • 0.002 warzonerat_regkeys
    • 0.002 remcos_regkeys
    • 0.001 InjectionSetWindowLong
    • 0.001 TransactedHollowing
    • 0.001 antisandbox_sleep
    • 0.001 antivm_vmware_libs
    • 0.001 h1n1_behavior
    • 0.001 Raccoon Behavior
    • 0.001 office_vb_load
    • 0.001 office_wmi_load
    • 0.001 office_flash_load
    • 0.001 dcrat_behavior
    • 0.001 rat_luminosity
    • 0.001 rat_nanocore
    • 0.001 tinba_behavior
    • 0.001 antisandbox_threattrack_files
    • 0.001 antivm_vpc_files
    • 0.001 banker_cridex
    • 0.001 modify_proxy
    • 0.001 azorult_mutexes
    • 0.001 network_tor_service
    • 0.001 office_perfkey
    • 0.001 packer_armadillo_regkey
    • 0.001 nemty_regkeys
    • 0.001 revil_mutexes
    • 0.001 dcrat_files
    • 0.001 modirat_bheavior
    • 0.001 obliquerat_files
    • 0.001 warzonerat_files
    • 0.001 remcos_files
    • 0.001 sniffer_winpcap
    • 0.001 tampers_etw
    • 0.001 targeted_flame

    Reporting ( 22.693 seconds )

    • 13.034 BinGraph
    • 9.544 JsonDump
    • 0.063 SubmitCAPE
    • 0.052 MITRE_TTPS