Analysis Report · ACUBE Sandbox

Status: Malicious

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE	dll	2025-12-09 15:13:07	2025-12-09 15:16:30	203 seconds	Show Options	Show Analysis Log	9.0

vnc_port=5900

2025-12-06 09:30:11,352 [root] INFO: Date set to: 20251209T07:11:46, timeout set to: 180
2025-12-09 07:11:46,000 [root] DEBUG: Starting analyzer from: C:\tmp1n9xjyd0
2025-12-09 07:11:46,000 [root] DEBUG: Storing results at: C:\kfghOFCpn
2025-12-09 07:11:46,000 [root] DEBUG: Pipe server name: \\.\PIPE\CSZfdS
2025-12-09 07:11:46,000 [root] DEBUG: Python path: C:\Python38
2025-12-09 07:11:46,000 [root] INFO: analysis running as an admin
2025-12-09 07:11:46,000 [root] INFO: analysis package specified: "dll"
2025-12-09 07:11:46,000 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2025-12-09 07:11:46,000 [root] DEBUG: imported analysis package "dll"
2025-12-09 07:11:46,000 [root] DEBUG: initializing analysis package "dll"...
2025-12-09 07:11:46,000 [lib.common.common] INFO: wrapping
2025-12-09 07:11:46,000 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:11:46,000 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\red_core.exe
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2025-12-09 07:11:46,000 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-09 07:11:46,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-09 07:11:46,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-12-09 07:11:46,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-12-09 07:11:46,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-09 07:11:46,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-09 07:11:46,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-09 07:11:46,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-09 07:11:46,109 [modules.auxiliary.disguise] INFO: Disguising GUID to 5ebf9034-656a-4edf-94e1-2e302d84a1d2
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-09 07:11:46,109 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-09 07:11:46,109 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-09 07:11:46,109 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-09 07:11:46,109 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-09 07:11:46,109 [root] DEBUG: attempting to configure 'Human' from data
2025-12-09 07:11:46,109 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-09 07:11:46,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-09 07:11:46,109 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-09 07:11:46,125 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-09 07:11:46,125 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-09 07:11:46,125 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-09 07:11:46,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-09 07:11:46,125 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-09 07:11:46,125 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-09 07:11:46,125 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-09 07:11:46,125 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-09 07:11:46,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-09 07:11:46,125 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-09 07:11:46,125 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-09 07:11:46,125 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-09 07:11:46,125 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-09 07:11:46,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-09 07:11:46,187 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-09 07:11:46,234 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-09 07:11:46,234 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-09 07:11:46,234 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-09 07:11:46,234 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-09 07:11:46,234 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-09 07:11:46,234 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-09 07:11:46,234 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 392
2025-12-09 07:11:46,234 [lib.api.process] INFO: Monitor config for <Process 392 lsass.exe>: C:\tmp1n9xjyd0\dll\392.ini
2025-12-09 07:11:46,234 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-09 07:11:46,234 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:11:46,249 [root] DEBUG: Loader: Injecting process 392 with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:46,281 [root] DEBUG: 392: Python path set to 'C:\Python38'.
2025-12-09 07:11:46,281 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:46,281 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-09 07:11:46,281 [root] DEBUG: 392: TLS secret dump mode enabled.
2025-12-09 07:11:46,296 [root] DEBUG: 392: Monitor initialised: 32-bit capemon loaded in process 392 at 0x6b6d0000, thread 3188, image base 0x4e0000, stack from 0xfe6000-0xff0000
2025-12-09 07:11:46,296 [root] DEBUG: 392: Commandline: C:\Windows\system32\lsass.exe
2025-12-09 07:11:46,296 [root] DEBUG: 392: Hooked 5 out of 5 functions
2025-12-09 07:11:46,296 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:46,296 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:46,312 [lib.api.process] INFO: Injected into 32-bit <Process 392 lsass.exe>
2025-12-09 07:11:46,312 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-09 07:11:46,312 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-09 07:11:46,312 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-09 07:11:46,312 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-09 07:11:46,312 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-09 07:11:46,312 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-09 07:11:46,312 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-09 07:11:46,312 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-09 07:11:46,312 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-09 07:11:46,312 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-09 07:11:46,312 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-09 07:11:46,312 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-09 07:11:46,328 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-09 07:11:46,359 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-09 07:11:46,375 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-09 07:11:46,390 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-09 07:11:46,406 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-09 07:11:46,421 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-09 07:11:46,437 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-09 07:11:46,437 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-09 07:11:46,468 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-09 07:11:46,484 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-09 07:11:46,484 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-09 07:11:46,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-09 07:11:46,531 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-09 07:11:46,546 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-09 07:11:46,546 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-09 07:11:46,562 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-09 07:11:46,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-09 07:11:46,593 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-09 07:11:46,593 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-09 07:11:46,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-09 07:11:46,625 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-09 07:11:46,640 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-09 07:11:46,656 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-09 07:11:46,671 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-09 07:11:46,687 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-09 07:11:46,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-09 07:11:46,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-09 07:11:46,734 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:11:46,750 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:11:46,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-09 07:11:46,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-09 07:11:46,796 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-09 07:11:46,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-09 07:11:46,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-09 07:11:46,843 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-09 07:11:46,859 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-09 07:11:46,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-09 07:11:46,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-09 07:11:46,906 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-09 07:11:46,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-09 07:11:46,937 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-09 07:11:46,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-09 07:11:46,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-09 07:11:46,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-09 07:11:47,000 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-09 07:11:47,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-09 07:11:47,031 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-09 07:11:47,046 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-09 07:11:47,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-09 07:11:47,078 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-09 07:11:47,093 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-09 07:11:47,109 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-09 07:11:47,109 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-09 07:11:47,125 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-09 07:11:47,140 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-09 07:11:47,156 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-09 07:11:47,171 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-09 07:11:47,187 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-09 07:11:47,203 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-09 07:11:47,218 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-09 07:11:51,593 [root] INFO: Restarting WMI Service
2025-12-09 07:11:53,609 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2025-12-09 07:11:53,609 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2025-12-09 07:11:53,609 [lib.common.common] INFO: Submitted file is missing extension, adding .dll
2025-12-09 07:11:53,609 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:11:53,609 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1" with pid 2848
2025-12-09 07:11:53,609 [lib.api.process] INFO: Monitor config for <Process 2848 rundll32.exe>: C:\tmp1n9xjyd0\dll\2848.ini
2025-12-09 07:11:53,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:11:53,609 [root] DEBUG: Loader: Injecting process 2848 (thread 3240) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:53,609 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:11:53,609 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:53,609 [lib.api.process] INFO: Injected into 32-bit <Process 2848 rundll32.exe>
2025-12-09 07:11:55,609 [lib.api.process] INFO: Successfully resumed <Process 2848 rundll32.exe>
2025-12-09 07:11:55,671 [root] DEBUG: 2848: Python path set to 'C:\Python38'.
2025-12-09 07:11:55,671 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:55,671 [root] DEBUG: 2848: Dropped file limit defaulting to 100.
2025-12-09 07:11:55,671 [root] DEBUG: 2848: YaraInit: Compiled 41 rule files
2025-12-09 07:11:55,671 [root] DEBUG: 2848: YaraInit: Compiled rules saved to file C:\tmp1n9xjyd0\data\yara\capemon.yac
2025-12-09 07:11:55,671 [root] DEBUG: 2848: YaraScan: Scanning 0x00230000, size 0xd250
2025-12-09 07:11:55,671 [root] DEBUG: 2848: Monitor initialised: 32-bit capemon loaded in process 2848 at 0x6b6d0000, thread 3240, image base 0x230000, stack from 0x144000-0x150000
2025-12-09 07:11:55,671 [root] DEBUG: 2848: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1
2025-12-09 07:11:55,671 [root] DEBUG: 2848: GetAddressByYara: ModuleBase 0x77210000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:55,687 [root] DEBUG: 2848: hook_api: LdrpCallInitRoutine export address 0x77268810 obtained via GetFunctionAddress
2025-12-09 07:11:55,687 [root] DEBUG: 2848: hook_api: Warning - CreateProcessA export address 0x766B2082 differs from GetProcAddress -> 0x70C22437 (AcLayers.DLL::0x12437)
2025-12-09 07:11:55,687 [root] DEBUG: 2848: hook_api: Warning - CreateProcessW export address 0x766B204D differs from GetProcAddress -> 0x70C225AB (AcLayers.DLL::0x125ab)
2025-12-09 07:11:55,687 [root] DEBUG: 2848: hook_api: Warning - WinExec export address 0x7673F43A differs from GetProcAddress -> 0x70C2271F (AcLayers.DLL::0x1271f)
2025-12-09 07:11:55,687 [root] DEBUG: 2848: hook_api: Warning - CreateRemoteThreadEx export address 0x7676F98F differs from GetProcAddress -> 0x752EBB18 (KERNELBASE.dll::0xbb18)
2025-12-09 07:11:55,687 [root] DEBUG: 2848: hook_api: Warning - UpdateProcThreadAttribute export address 0x7677020F differs from GetProcAddress -> 0x752F43FB (KERNELBASE.dll::0x143fb)
2025-12-09 07:11:55,687 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:55,687 [root] DEBUG: 2848: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:55,687 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:55,687 [root] DEBUG: 2848: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:55,687 [root] DEBUG: 2848: Hooked 611 out of 613 functions
2025-12-09 07:11:55,687 [root] DEBUG: 2848: WoW64 not detected.
2025-12-09 07:11:55,687 [root] INFO: Loaded monitor into process with pid 2848
2025-12-09 07:11:55,687 [root] DEBUG: 2848: caller_dispatch: Added region at 0x00230000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x002315C7, thread 3240).
2025-12-09 07:11:55,687 [root] DEBUG: 2848: YaraScan: Scanning 0x00230000, size 0xd250
2025-12-09 07:11:55,687 [root] DEBUG: 2848: ProcessImageBase: Main module image at 0x00230000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:11:55,703 [root] DEBUG: 2848: Target DLL loaded at 0x6DB10000: C:\Users\user\AppData\Local\Temp\red_core.exe (0x6c000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2848: YaraScan: Scanning 0x6DB10000, size 0x6a272
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x76840000: C:\Windows\system32\WININET (0x1e4000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x75290000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x752B0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x75210000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x74690000: C:\Windows\System32\version (0x9000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x752A0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2848: DLL loaded at 0x77390000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x75690000: C:\Windows\system32\iertutil (0x232000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x75330000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x73A30000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x74DD0000: C:\Windows\system32\wevtapi (0x42000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x733A0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x73400000: C:\Windows\system32\WINNSI (0x7000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: caller_dispatch: Added region at 0x6DB10000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x6DB2D6B1, thread 3240).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: caller_dispatch: Scanning calling region at 0x6DB10000...
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x75080000: C:\Windows\System32\Secur32 (0x8000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x728C0000: C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x75280000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2848: DLL loaded at 0x72080000: C:\Windows\system32\winhttp (0x58000 bytes).
2025-12-09 07:11:55,750 [root] DEBUG: 2848: DLL loaded at 0x72010000: C:\Windows\system32\webio (0x50000 bytes).
2025-12-09 07:11:55,750 [root] DEBUG: 2848: DLL loaded at 0x71EF0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2025-12-09 07:11:55,750 [root] DEBUG: 2848: DLL loaded at 0x728D0000: C:\Windows\system32\napinsp (0x10000 bytes).
2025-12-09 07:11:55,750 [root] DEBUG: 2848: DLL loaded at 0x70BF0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2025-12-09 07:11:55,750 [root] DEBUG: 2848: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2025-12-09 07:11:55,750 [root] DEBUG: 2848: DLL loaded at 0x74AB0000: C:\Windows\System32\DNSAPI (0x44000 bytes).
2025-12-09 07:11:55,765 [root] DEBUG: 2848: DLL loaded at 0x72360000: C:\Windows\System32\winrnr (0x8000 bytes).
2025-12-09 07:11:55,765 [root] DEBUG: 2848: DLL loaded at 0x73330000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2025-12-09 07:11:55,765 [root] DEBUG: 2848: DLL loaded at 0x718C0000: C:\Windows\System32\rasadhlp (0x6000 bytes).
2025-12-09 07:11:55,765 [root] DEBUG: 2848: DLL loaded at 0x73270000: C:\Windows\System32\dhcpcsvc (0x12000 bytes).
2025-12-09 07:11:55,765 [root] DEBUG: 2848: DLL loaded at 0x73F40000: C:\Windows\system32\uxtheme (0x40000 bytes).
2025-12-09 07:11:55,765 [root] DEBUG: 2848: DLL loaded at 0x74BE0000: C:\Windows\System32\wship6 (0x6000 bytes).
2025-12-09 07:11:55,781 [root] DEBUG: 2848: DLL loaded at 0x73F80000: C:\Windows\System32\dwmapi (0x13000 bytes).
2025-12-09 07:11:56,765 [root] DEBUG: 2848: DLL loaded at 0x75110000: C:\Windows\System32\CRYPTBASE (0xc000 bytes).
2025-12-09 07:11:56,765 [root] DEBUG: 2848: DLL loaded at 0x76CB0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2025-12-09 07:11:56,765 [root] DEBUG: 2848: DLL loaded at 0x746A0000: C:\Windows\system32\FirewallAPI (0x76000 bytes).
2025-12-09 07:11:56,765 [root] DEBUG: 2848: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate
2025-12-09 07:11:56,765 [root] DEBUG: 2848: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate
2025-12-09 07:11:56,765 [root] DEBUG: 2848: DLL loaded at 0x76A30000: C:\Windows\system32\COMDLG32 (0x7b000 bytes).
2025-12-09 07:11:56,781 [root] DEBUG: 2848: DLL loaded at 0x71F80000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2025-12-09 07:11:56,781 [root] DEBUG: 2848: DLL loaded at 0x6F9D0000: C:\Windows\System32\OLEACC (0x3c000 bytes).
2025-12-09 07:11:56,781 [root] DEBUG: 2848: ProtectionHandler: Adding region at 0x10001000 to tracked regions.
2025-12-09 07:11:56,781 [root] DEBUG: 2848: DumpPEsInRange: Scanning range 0x10000000 - 0x1004C200.
2025-12-09 07:11:56,781 [root] DEBUG: 2848: ScanForDisguisedPE: PE image located at: 0x10000000
2025-12-09 07:11:56,781 [root] DEBUG: 2848: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-12-09 07:11:56,781 [root] DEBUG: 2848: DumpProcess: Instantiating PeParser with address: 0x10000000.
2025-12-09 07:11:56,781 [root] DEBUG: 2848: DumpProcess: Module entry point VA is 0x0001C50E.
2025-12-09 07:11:56,781 [root] DEBUG: 2848: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x1004D000, section 5
2025-12-09 07:11:56,796 [lib.common.results] INFO: Uploading file C:\kfghOFCpn\CAPE\2848_326365631892122025 to CAPE\13aa13d685073aafc8c91046df7a5c7d8660413963ce3ff23697255acd489207; Size is 279040; Max size: 100000000
2025-12-09 07:11:56,796 [root] DEBUG: 2848: DumpProcess: Module image dump success - dump size 0x44200.
2025-12-09 07:11:56,796 [root] DEBUG: 2848: ScanForDisguisedPE: No PE image located in range 0x10001000-0x1004C200.
2025-12-09 07:11:56,796 [root] DEBUG: 2848: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:11:56,796 [root] DEBUG: 2848: DumpRegion: Dumped PE image(s) from base address 0x10000000, size 315392 bytes.
2025-12-09 07:11:56,796 [root] DEBUG: 2848: ProcessTrackedRegion: Dumped region at 0x10000000.
2025-12-09 07:11:56,796 [root] DEBUG: 2848: YaraScan: Scanning 0x10000000, size 0x4c200
2025-12-09 07:11:56,796 [root] DEBUG: 2848: DLL loaded at 0x6F880000: C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2025-12-09 07:11:56,812 [root] DEBUG: 2848: DLL loaded at 0x74720000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2025-12-09 07:11:56,812 [root] DEBUG: 2848: CreateProcessHandler: Injection info set for new process 3784: C:\Windows\System32\TASKKILL.exe, ImageBase: 0x00720000
2025-12-09 07:11:56,812 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 3784
2025-12-09 07:11:56,812 [lib.api.process] INFO: Monitor config for <Process 3784 taskkill.exe>: C:\tmp1n9xjyd0\dll\3784.ini
2025-12-09 07:11:56,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:11:56,812 [root] DEBUG: Loader: Injecting process 3784 (thread 3752) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:56,812 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:11:56,812 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:56,812 [lib.api.process] INFO: Injected into 32-bit <Process 3784 taskkill.exe>
2025-12-09 07:11:56,828 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 3784
2025-12-09 07:11:56,828 [lib.api.process] INFO: Monitor config for <Process 3784 taskkill.exe>: C:\tmp1n9xjyd0\dll\3784.ini
2025-12-09 07:11:56,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:11:56,828 [root] DEBUG: Loader: Injecting process 3784 (thread 3752) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:56,828 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:11:56,828 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:56,828 [lib.api.process] INFO: Injected into 32-bit <Process 3784 taskkill.exe>
2025-12-09 07:11:56,843 [root] DEBUG: 3784: Python path set to 'C:\Python38'.
2025-12-09 07:11:56,843 [root] DEBUG: 3784: Dropped file limit defaulting to 100.
2025-12-09 07:11:56,843 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:56,843 [root] DEBUG: 3784: YaraInit: Compiled rules loaded from existing file C:\tmp1n9xjyd0\data\yara\capemon.yac
2025-12-09 07:11:56,843 [root] DEBUG: 3784: YaraScan: Scanning 0x00720000, size 0x15b28
2025-12-09 07:11:56,859 [root] DEBUG: 3784: Monitor initialised: 32-bit capemon loaded in process 3784 at 0x6b6d0000, thread 3752, image base 0x720000, stack from 0x206000-0x210000
2025-12-09 07:11:56,859 [root] DEBUG: 3784: Commandline: TASKKILL /F /IM rundll32.exe
2025-12-09 07:11:56,859 [root] DEBUG: 3784: GetAddressByYara: ModuleBase 0x77210000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: LdrpCallInitRoutine export address 0x77268810 obtained via GetFunctionAddress
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: Warning - CreateRemoteThreadEx export address 0x7676F98F differs from GetProcAddress -> 0x752EBB18 (KERNELBASE.dll::0xbb18)
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: Warning - UpdateProcThreadAttribute export address 0x7677020F differs from GetProcAddress -> 0x752F43FB (KERNELBASE.dll::0x143fb)
2025-12-09 07:11:56,859 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:56,859 [root] DEBUG: 3784: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:56,859 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:56,859 [root] DEBUG: 3784: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: Warning - NetUserGetInfo export address 0x7393528E differs from GetProcAddress -> 0x738E1BE2 (SAMCLI.DLL::0x1be2)
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: Warning - NetGetJoinInformation export address 0x73934AD2 differs from GetProcAddress -> 0x738F2C3F (wkscli.dll::0x2c3f)
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: Warning - NetUserGetLocalGroups export address 0x739352A4 differs from GetProcAddress -> 0x738E28AA (SAMCLI.DLL::0x28aa)
2025-12-09 07:11:56,859 [root] DEBUG: 3784: hook_api: Warning - DsEnumerateDomainTrustsW export address 0x73933C9E differs from GetProcAddress -> 0x74A5B1FA (LOGONCLI.DLL::0xb1fa)
2025-12-09 07:11:56,859 [root] DEBUG: 3784: Hooked 611 out of 613 functions
2025-12-09 07:11:56,859 [root] DEBUG: 3784: WoW64 not detected.
2025-12-09 07:11:56,875 [root] INFO: Loaded monitor into process with pid 3784
2025-12-09 07:11:56,875 [root] DEBUG: 3784: caller_dispatch: Added region at 0x00720000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00725CCC, thread 3752).
2025-12-09 07:11:56,875 [root] DEBUG: 3784: YaraScan: Scanning 0x00720000, size 0x15b28
2025-12-09 07:11:56,875 [root] DEBUG: 3784: ProcessImageBase: Main module image at 0x00720000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:11:56,875 [root] DEBUG: 3784: DLL loaded at 0x75110000: C:\Windows\System32\CRYPTBASE (0xc000 bytes).
2025-12-09 07:11:56,875 [lib.api.process] INFO: Monitor config for <Process 560 svchost.exe>: C:\tmp1n9xjyd0\dll\560.ini
2025-12-09 07:11:56,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:11:56,875 [root] DEBUG: Loader: Injecting process 560 with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:56,875 [root] DEBUG: 560: Python path set to 'C:\Python38'.
2025-12-09 07:11:56,875 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:56,875 [root] DEBUG: 560: Dropped file limit defaulting to 100.
2025-12-09 07:11:56,875 [root] DEBUG: 560: parent_has_path: unable to get path for parent process 376
2025-12-09 07:11:56,890 [root] DEBUG: 560: YaraInit: Compiled rules loaded from existing file C:\tmp1n9xjyd0\data\yara\capemon.yac
2025-12-09 07:11:56,890 [root] DEBUG: 560: YaraScan: Scanning 0x00270000, size 0x73ca
2025-12-09 07:11:56,890 [root] DEBUG: 560: Monitor initialised: 32-bit capemon loaded in process 560 at 0x6b6d0000, thread 3996, image base 0x270000, stack from 0x10e6000-0x10f0000
2025-12-09 07:11:56,890 [root] DEBUG: 560: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch
2025-12-09 07:11:56,890 [root] DEBUG: 560: GetAddressByYara: ModuleBase 0x77210000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:56,890 [root] DEBUG: 560: hook_api: LdrpCallInitRoutine export address 0x77268810 obtained via GetFunctionAddress
2025-12-09 07:11:56,890 [root] DEBUG: 560: hook_api: Warning - CreateRemoteThreadEx export address 0x7676F98F differs from GetProcAddress -> 0x752EBB18 (KERNELBASE.dll::0xbb18)
2025-12-09 07:11:56,890 [root] DEBUG: 560: hook_api: Warning - UpdateProcThreadAttribute export address 0x7677020F differs from GetProcAddress -> 0x752F43FB (KERNELBASE.dll::0x143fb)
2025-12-09 07:11:56,890 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:56,890 [root] DEBUG: 560: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:56,890 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:56,890 [root] DEBUG: 560: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:56,890 [root] DEBUG: 560: Hooked 611 out of 613 functions
2025-12-09 07:11:56,890 [root] DEBUG: 560: WoW64 not detected.
2025-12-09 07:11:56,906 [root] INFO: Loaded monitor into process with pid 560
2025-12-09 07:11:56,906 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:56,906 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:56,906 [lib.api.process] INFO: Injected into 32-bit <Process 560 svchost.exe>
2025-12-09 07:11:57,578 [root] DEBUG: 2848: api-cap: GetAsyncKeyState hook disabled due to count: 5000
2025-12-09 07:11:57,828 [root] DEBUG: 560: OpenProcessHandler: Injection info created for process 808, handle 0x5f4: C:\Windows\System32\audiodg.exe
2025-12-09 07:11:57,828 [root] DEBUG: 560: OpenProcessHandler: Injection info created for process 652, handle 0x5ec: C:\Windows\System32\taskhost.exe
2025-12-09 07:11:58,438 [modules.auxiliary.human] INFO: Found button "ok", clicking it
2025-12-09 07:11:58,915 [lib.api.process] INFO: Monitor config for <Process 3092 svchost.exe>: C:\tmp1n9xjyd0\dll\3092.ini
2025-12-09 07:11:58,915 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:11:58,915 [root] DEBUG: Loader: Injecting process 3092 with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:58,915 [root] DEBUG: 3092: Python path set to 'C:\Python38'.
2025-12-09 07:11:58,915 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:58,915 [root] DEBUG: 3092: Dropped file limit defaulting to 100.
2025-12-09 07:11:58,915 [root] DEBUG: 3092: parent_has_path: unable to get path for parent process 376
2025-12-09 07:11:58,915 [root] DEBUG: 3092: YaraInit: Compiled rules loaded from existing file C:\tmp1n9xjyd0\data\yara\capemon.yac
2025-12-09 07:11:58,915 [root] DEBUG: 3092: YaraScan: Scanning 0x00270000, size 0x73ca
2025-12-09 07:11:58,915 [root] DEBUG: 3092: Monitor initialised: 32-bit capemon loaded in process 3092 at 0x6b6d0000, thread 2280, image base 0x270000, stack from 0xb96000-0xba0000
2025-12-09 07:11:58,915 [root] DEBUG: 3092: Commandline: C:\Windows\system32\svchost.exe -k netsvcs
2025-12-09 07:11:58,915 [root] DEBUG: 3092: GetAddressByYara: ModuleBase 0x77210000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:58,930 [root] DEBUG: 3092: hook_api: LdrpCallInitRoutine export address 0x77268810 obtained via GetFunctionAddress
2025-12-09 07:11:58,930 [root] DEBUG: 3092: hook_api: Warning - CreateRemoteThreadEx export address 0x7676F98F differs from GetProcAddress -> 0x752EBB18 (KERNELBASE.dll::0xbb18)
2025-12-09 07:11:58,930 [root] DEBUG: 3092: hook_api: Warning - UpdateProcThreadAttribute export address 0x7677020F differs from GetProcAddress -> 0x752F43FB (KERNELBASE.dll::0x143fb)
2025-12-09 07:11:58,930 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:58,930 [root] DEBUG: 3092: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:58,930 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:58,930 [root] DEBUG: 3092: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:58,930 [root] DEBUG: 3092: Hooked 611 out of 613 functions
2025-12-09 07:11:58,930 [root] DEBUG: 3092: WoW64 not detected.
2025-12-09 07:11:58,930 [root] INFO: Loaded monitor into process with pid 3092
2025-12-09 07:11:58,930 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:58,930 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:11:58,930 [lib.api.process] INFO: Injected into 32-bit <Process 3092 svchost.exe>
2025-12-09 07:11:59,446 [root] INFO: Process with pid 2848 has terminated
2025-12-09 07:11:59,446 [root] DEBUG: 2848: NtTerminateProcess hook: Attempting to dump process 2848
2025-12-09 07:11:59,446 [root] DEBUG: 2848: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x76CB0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x71E70000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x71DE0000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x74A80000: C:\Windows\system32\Winsta (0x29000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x74C30000: C:\Windows\System32\CRYPTSP (0x16000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x74990000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2025-12-09 07:12:00,930 [root] DEBUG: 3784: DLL loaded at 0x75180000: C:\Windows\System32\RpcRtRemote (0xe000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 3092: DLL loaded at 0x72510000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 3092: DLL loaded at 0x73580000: C:\Windows\system32\ATL (0x14000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 3092: DLL loaded at 0x72960000: C:\Windows\system32\VssTrace (0x10000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 3092: DLL loaded at 0x738E0000: C:\Windows\system32\samcli (0xf000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 3092: DLL loaded at 0x740B0000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2025-12-09 07:12:00,946 [root] DEBUG: 3092: DLL loaded at 0x73900000: C:\Windows\system32\netutils (0x9000 bytes).
2025-12-09 07:12:00,961 [root] DEBUG: 3092: DLL loaded at 0x734A0000: C:\Windows\system32\es (0x47000 bytes).
2025-12-09 07:12:00,961 [root] DEBUG: 3092: DLL loaded at 0x73FB0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2025-12-09 07:12:00,961 [root] DEBUG: 3092: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:12:00,977 [root] DEBUG: 3092: DLL loaded at 0x710F0000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 3092: DLL loaded at 0x74690000: C:\Windows\system32\VERSION (0x9000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 3092: DLL loaded at 0x710A0000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 3092: DLL loaded at 0x71370000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 3092: DLL loaded at 0x712D0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 3092: DLL loaded at 0x71260000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2025-12-09 07:12:00,977 [root] DEBUG: 3784: DLL loaded at 0x71260000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 3092: DLL loaded at 0x74DA0000: C:\Windows\system32\authZ (0x1b000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 3092: DLL loaded at 0x70FC0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 3092: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:12:00,993 [root] DEBUG: 3092: DLL loaded at 0x70F70000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2025-12-09 07:12:00,993 [root] DEBUG: 3092: DLL loaded at 0x74DD0000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2025-12-09 07:12:01,071 [root] DEBUG: 3092: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:12:01,071 [root] DEBUG: 3092: DLL loaded at 0x70EC0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2025-12-09 07:12:01,071 [root] DEBUG: 3092: DLL loaded at 0x70EB0000: C:\Windows\system32\NCObjAPI (0xf000 bytes).
2025-12-09 07:12:01,071 [root] DEBUG: 3092: OpenProcessHandler: Injection info created for process 560, handle 0x2d0: C:\Windows\System32\svchost.exe
2025-12-09 07:12:01,086 [root] DEBUG: 3092: DLL loaded at 0x70C40000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 3784: DLL loaded at 0x71370000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 3784: DLL loaded at 0x712D0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2025-12-09 07:12:01,180 [root] DEBUG: 3092: DLL loaded at 0x70C20000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2025-12-09 07:12:01,180 [root] DEBUG: 560: CreateProcessHandler: Injection info set for new process 2464: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x01090000
2025-12-09 07:12:01,180 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2464
2025-12-09 07:12:01,180 [lib.api.process] INFO: Monitor config for <Process 2464 WmiPrvSE.exe>: C:\tmp1n9xjyd0\dll\2464.ini
2025-12-09 07:12:01,227 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:12:01,227 [root] DEBUG: Loader: Injecting process 2464 (thread 2504) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:01,227 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:01,227 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:01,227 [lib.api.process] INFO: Injected into 32-bit <Process 2464 WmiPrvSE.exe>
2025-12-09 07:12:01,227 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2464
2025-12-09 07:12:01,243 [lib.api.process] INFO: Monitor config for <Process 2464 WmiPrvSE.exe>: C:\tmp1n9xjyd0\dll\2464.ini
2025-12-09 07:12:01,258 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:12:01,258 [root] DEBUG: Loader: Injecting process 2464 (thread 2504) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:01,274 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:01,274 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:01,274 [lib.api.process] INFO: Injected into 32-bit <Process 2464 WmiPrvSE.exe>
2025-12-09 07:12:01,274 [root] DEBUG: 2464: Python path set to 'C:\Python38'.
2025-12-09 07:12:01,274 [root] DEBUG: 2464: Dropped file limit defaulting to 100.
2025-12-09 07:12:01,274 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:01,274 [root] DEBUG: 2464: Services hook set enabled
2025-12-09 07:12:01,290 [root] DEBUG: 2464: YaraInit: Compiled rules loaded from existing file C:\tmp1n9xjyd0\data\yara\capemon.yac
2025-12-09 07:12:01,305 [root] DEBUG: 2464: Monitor initialised: 32-bit capemon loaded in process 2464 at 0x6b6d0000, thread 2504, image base 0x1090000, stack from 0x1b0000-0x1c0000
2025-12-09 07:12:01,305 [root] DEBUG: 2464: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2025-12-09 07:12:01,305 [root] DEBUG: 2464: hook_api: Warning - CreateRemoteThreadEx export address 0x7676F98F differs from GetProcAddress -> 0x752EBB18 (KERNELBASE.dll::0xbb18)
2025-12-09 07:12:01,305 [root] DEBUG: 2464: Hooked 69 out of 69 functions
2025-12-09 07:12:01,305 [root] DEBUG: 2464: WoW64 not detected.
2025-12-09 07:12:01,305 [root] INFO: Loaded monitor into process with pid 2464
2025-12-09 07:12:01,305 [root] DEBUG: 2464: DLL loaded at 0x75110000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2025-12-09 07:12:01,305 [root] DEBUG: 2464: DLL loaded at 0x73700000: C:\Windows\system32\ntmarta (0x21000 bytes).
2025-12-09 07:12:01,305 [root] DEBUG: 2464: DLL loaded at 0x76BB0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2025-12-09 07:12:01,305 [root] DEBUG: 2464: DLL loaded at 0x76CB0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2025-12-09 07:12:01,305 [root] DEBUG: 2464: DLL loaded at 0x71E70000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2025-12-09 07:12:01,305 [root] DEBUG: 2464: DLL loaded at 0x74C30000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2025-12-09 07:12:01,321 [root] DEBUG: 2464: DLL loaded at 0x74990000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2025-12-09 07:12:01,321 [root] DEBUG: 2464: DLL loaded at 0x75180000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2025-12-09 07:12:01,321 [root] DEBUG: 2464: DLL loaded at 0x71260000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2025-12-09 07:12:01,321 [root] DEBUG: 3092: OpenProcessHandler: Injection info created for process 2464, handle 0x538: C:\Windows\System32\wbem\WmiPrvSE.exe
2025-12-09 07:12:01,321 [root] DEBUG: 2464: DLL loaded at 0x70FC0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2025-12-09 07:12:01,383 [root] DEBUG: 2464: DLL loaded at 0x6A210000: C:\Windows\system32\wbem\cimwin32 (0x14a000 bytes).
2025-12-09 07:12:01,383 [root] DEBUG: 2464: DLL loaded at 0x6C830000: C:\Windows\system32\framedynos (0x35000 bytes).
2025-12-09 07:12:01,383 [root] DEBUG: 2464: DLL loaded at 0x73960000: C:\Windows\system32\WINBRAND (0x7000 bytes).
2025-12-09 07:12:01,415 [root] DEBUG: 3784: NtTerminateProcess hook: Attempting to dump process 3784
2025-12-09 07:12:01,430 [root] DEBUG: 3784: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:01,430 [root] INFO: Process with pid 3784 has terminated
2025-12-09 07:12:19,024 [root] DEBUG: 560: OpenProcessHandler: Injection info created for process 3216, handle 0x5f4: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
2025-12-09 07:12:21,633 [root] DEBUG: 3092: caller_dispatch: Added region at 0x00270000 to tracked regions list (ntdll::NtWaitForSingleObject returns to 0x00271499, thread 2976).
2025-12-09 07:12:21,633 [root] DEBUG: 3092: YaraScan: Scanning 0x00270000, size 0x73ca
2025-12-09 07:12:21,633 [root] DEBUG: 3092: ProcessImageBase: Main module image at 0x00270000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:51,368 [root] DEBUG: 560: CreateProcessHandler: Injection info set for new process 3688: C:\Windows\system32\DllHost.exe, ImageBase: 0x00970000
2025-12-09 07:12:51,368 [root] INFO: Announced 32-bit process name: dllhost.exe pid: 3688
2025-12-09 07:12:51,368 [lib.api.process] INFO: Monitor config for <Process 3688 dllhost.exe>: C:\tmp1n9xjyd0\dll\3688.ini
2025-12-09 07:12:51,368 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:12:51,383 [root] DEBUG: Loader: Injecting process 3688 (thread 3652) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:51,383 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:51,383 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:51,383 [lib.api.process] INFO: Injected into 32-bit <Process 3688 dllhost.exe>
2025-12-09 07:12:51,383 [root] INFO: Announced 32-bit process name: dllhost.exe pid: 3688
2025-12-09 07:12:51,383 [lib.api.process] INFO: Monitor config for <Process 3688 dllhost.exe>: C:\tmp1n9xjyd0\dll\3688.ini
2025-12-09 07:12:51,383 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp1n9xjyd0\dll\cdeousNy.dll, loader C:\tmp1n9xjyd0\bin\DTbyLui.exe
2025-12-09 07:12:51,399 [root] DEBUG: Loader: Injecting process 3688 (thread 3652) with C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:51,399 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:51,399 [root] DEBUG: Successfully injected DLL C:\tmp1n9xjyd0\dll\cdeousNy.dll.
2025-12-09 07:12:51,399 [lib.api.process] INFO: Injected into 32-bit <Process 3688 dllhost.exe>
2025-12-09 07:12:51,399 [root] DEBUG: 3688: Python path set to 'C:\Python38'.
2025-12-09 07:12:51,399 [root] DEBUG: 3688: Dropped file limit defaulting to 100.
2025-12-09 07:12:51,399 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:51,399 [root] DEBUG: 3688: YaraInit: Compiled rules loaded from existing file C:\tmp1n9xjyd0\data\yara\capemon.yac
2025-12-09 07:12:51,399 [root] DEBUG: 3688: YaraScan: Scanning 0x00970000, size 0x4114
2025-12-09 07:12:51,399 [root] DEBUG: 3688: Monitor initialised: 32-bit capemon loaded in process 3688 at 0x6b6d0000, thread 3652, image base 0x970000, stack from 0x236000-0x240000
2025-12-09 07:12:51,399 [root] DEBUG: 3688: Commandline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
2025-12-09 07:12:51,415 [root] DEBUG: 3688: GetAddressByYara: ModuleBase 0x77210000 FunctionName LdrpCallInitRoutine
2025-12-09 07:12:51,415 [root] DEBUG: 3688: hook_api: LdrpCallInitRoutine export address 0x77268810 obtained via GetFunctionAddress
2025-12-09 07:12:51,415 [root] DEBUG: 3688: hook_api: Warning - CreateRemoteThreadEx export address 0x7676F98F differs from GetProcAddress -> 0x752EBB18 (KERNELBASE.dll::0xbb18)
2025-12-09 07:12:51,415 [root] DEBUG: 3688: hook_api: Warning - UpdateProcThreadAttribute export address 0x7677020F differs from GetProcAddress -> 0x752F43FB (KERNELBASE.dll::0x143fb)
2025-12-09 07:12:51,415 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:12:51,415 [root] DEBUG: 3688: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:12:51,415 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:12:51,415 [root] DEBUG: 3688: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:12:51,415 [root] DEBUG: 3688: Hooked 611 out of 613 functions
2025-12-09 07:12:51,415 [root] DEBUG: 3688: WoW64 not detected.
2025-12-09 07:12:51,415 [root] INFO: Loaded monitor into process with pid 3688
2025-12-09 07:12:51,415 [root] DEBUG: 3688: caller_dispatch: Added region at 0x00970000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x0097193E, thread 3652).
2025-12-09 07:12:51,415 [root] DEBUG: 3688: YaraScan: Scanning 0x00970000, size 0x4114
2025-12-09 07:12:51,430 [root] DEBUG: 3688: ProcessImageBase: Main module image at 0x00970000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x75110000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x76CB0000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x76620000: C:\Windows\system32\OLEAUT32 (0x8f000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x74C30000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x74990000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x75180000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: DLL loaded at 0x73F40000: C:\Windows\system32\uxtheme (0x40000 bytes).
2025-12-09 07:12:51,430 [root] DEBUG: 3688: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x76840000: C:\Windows\System32\wininet (0x1e4000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75290000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x752B0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75210000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x74690000: C:\Windows\system32\version (0x9000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x752A0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x77390000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75690000: C:\Windows\system32\iertutil (0x232000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75330000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75500000: C:\Windows\system32\USERENV (0x17000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75200000: C:\Windows\system32\profapi (0xb000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75280000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x75080000: C:\Windows\system32\Secur32 (0x8000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x758D0000: C:\Windows\system32\SHELL32 (0xc4c000 bytes).
2025-12-09 07:12:51,446 [root] DEBUG: 3688: DLL loaded at 0x728C0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:12:51,461 [root] DEBUG: 3688: DLL loaded at 0x72080000: C:\Windows\system32\winhttp (0x58000 bytes).
2025-12-09 07:12:51,461 [root] DEBUG: 3688: DLL loaded at 0x72010000: C:\Windows\system32\webio (0x50000 bytes).
2025-12-09 07:12:51,461 [root] DEBUG: 3688: DLL loaded at 0x74BF0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2025-12-09 07:12:51,461 [root] DEBUG: 3688: DLL loaded at 0x74BE0000: C:\Windows\System32\wship6 (0x6000 bytes).
2025-12-09 07:12:51,461 [root] DEBUG: 3688: DLL loaded at 0x733A0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2025-12-09 07:12:51,477 [root] DEBUG: 3688: DLL loaded at 0x73400000: C:\Windows\system32\WINNSI (0x7000 bytes).
2025-12-09 07:12:56,243 [root] DEBUG: 560: OpenProcessHandler: Injection info created for process 3432, handle 0x5f4: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
2025-12-09 07:12:56,461 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
2025-12-09 07:12:56,461 [root] INFO: Process with pid 3688 has terminated
2025-12-09 07:12:56,461 [root] DEBUG: 3688: NtTerminateProcess hook: Attempting to dump process 3688
2025-12-09 07:12:56,461 [root] DEBUG: 3688: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:31,133 [root] DEBUG: 2464: NtTerminateProcess hook: Attempting to dump process 2464
2025-12-09 07:13:31,133 [root] DEBUG: 2464: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:31,133 [root] INFO: Process with pid 2464 has terminated
2025-12-09 07:14:55,618 [root] INFO: Analysis timeout hit, terminating analysis
2025-12-09 07:14:55,618 [lib.api.process] INFO: Terminate event set for <Process 560 svchost.exe>
2025-12-09 07:14:55,618 [root] DEBUG: 560: Terminate Event: Attempting to dump process 560
2025-12-09 07:14:55,618 [root] DEBUG: 560: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:14:55,618 [root] DEBUG: 560: Terminate Event: Current region empty
2025-12-09 07:14:55,618 [lib.api.process] INFO: Termination confirmed for <Process 560 svchost.exe>
2025-12-09 07:14:55,618 [root] INFO: Terminate event set for process 560
2025-12-09 07:14:55,618 [root] DEBUG: 560: Terminate Event: CAPE shutdown complete for process 560
2025-12-09 07:14:55,618 [lib.api.process] INFO: Terminate event set for <Process 3092 svchost.exe>
2025-12-09 07:14:55,618 [root] DEBUG: 3092: Terminate Event: Attempting to dump process 3092
2025-12-09 07:14:55,618 [root] DEBUG: 3092: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:14:55,618 [root] DEBUG: 3092: Terminate Event: Current region empty
2025-12-09 07:14:55,618 [root] INFO: Added new file to list with pid None and path C:\Windows\System32\wbem\repository\INDEX.BTR
2025-12-09 07:14:55,618 [root] INFO: Added new file to list with pid None and path C:\Windows\System32\wbem\repository\OBJECTS.DATA
2025-12-09 07:14:55,618 [root] INFO: Added new file to list with pid None and path C:\Windows\System32\wbem\repository\MAPPING3.MAP
2025-12-09 07:14:55,618 [root] INFO: Added new file to list with pid None and path C:\Windows\System32\wbem\repository\MAPPING2.MAP
2025-12-09 07:14:55,618 [root] INFO: Added new file to list with pid None and path C:\Windows\System32\wbem\repository\MAPPING1.MAP
2025-12-09 07:14:55,618 [lib.api.process] INFO: Termination confirmed for <Process 3092 svchost.exe>
2025-12-09 07:14:55,618 [root] INFO: Terminate event set for process 3092
2025-12-09 07:14:55,618 [root] INFO: Created shutdown mutex
2025-12-09 07:14:55,618 [root] DEBUG: 3092: Terminate Event: CAPE shutdown complete for process 3092
2025-12-09 07:14:56,618 [root] INFO: Shutting down package
2025-12-09 07:14:56,618 [root] INFO: Stopping auxiliary modules
2025-12-09 07:14:56,618 [root] INFO: Stopping auxiliary module: Browser
2025-12-09 07:14:56,618 [root] INFO: Stopping auxiliary module: Curtain
2025-12-09 07:14:56,633 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765235696.6337893.curtain.log; Size is 36; Max size: 100000000
2025-12-09 07:14:56,633 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-09 07:14:56,633 [root] INFO: Stopping auxiliary module: Evtx
2025-12-09 07:14:56,633 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Application.evtx to zip dump
2025-12-09 07:14:56,649 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-09 07:14:56,649 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-09 07:14:56,649 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-09 07:14:56,649 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\OAlerts.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Security.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Setup.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\System.evtx to zip dump
2025-12-09 07:14:56,680 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-09 07:14:56,805 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-09 07:14:56,805 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 329091; Max size: 100000000
2025-12-09 07:14:56,805 [root] INFO: Stopping auxiliary module: Human
2025-12-09 07:14:59,774 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-09 07:14:59,774 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-09 07:15:01,180 [root] INFO: Stopping auxiliary module: Usage
2025-12-09 07:15:02,321 [root] INFO: Stopping auxiliary module: During_script
2025-12-09 07:15:02,321 [root] INFO: Finishing auxiliary modules
2025-12-09 07:15:02,321 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-09 07:15:02,321 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat to files\42f9c76ccf7a86c64d1244263a0ff86751e86e025a5996c938bd49c2e24714a1; Size is 128; Max size: 100000000
2025-12-09 07:15:02,336 [lib.common.results] INFO: Uploading file C:\Windows\System32\wbem\repository\INDEX.BTR to files\36e4ea70c792027d90852d82f4e8516c631dfb025e866eca03c9e97c74c27d17; Size is 4440064; Max size: 100000000
2025-12-09 07:15:02,415 [lib.common.results] INFO: Uploading file C:\Windows\System32\wbem\repository\OBJECTS.DATA to files\0945e38c37a3627ffbd5bf08caec1739b68e13e15709c2d005186ad95946f69e; Size is 15802368; Max size: 100000000
2025-12-09 07:15:02,493 [lib.common.results] INFO: Uploading file C:\Windows\System32\wbem\repository\MAPPING3.MAP to files\23611cad09b010246b399191aa48de3fda137bbc527b21f9f1b07f36c97ebaf6; Size is 51312; Max size: 100000000
2025-12-09 07:15:02,508 [lib.common.results] INFO: Uploading file C:\Windows\System32\wbem\repository\MAPPING2.MAP to files\3d75f9dd3ae5d134be66887dabea9546dfd3169ba478598a32c66262a5bbd2af; Size is 51312; Max size: 100000000
2025-12-09 07:15:02,508 [lib.common.results] INFO: Uploading file C:\Windows\System32\wbem\repository\MAPPING1.MAP to files\6fc385af3433acbafa03047b3fdf676875441f8133612b67ce19fcb0968267ec; Size is 51312; Max size: 100000000
2025-12-09 07:15:02,508 [root] WARNING: Folder at path "C:\kfghOFCpn\debugger" does not exist, skipping
2025-12-09 07:15:02,508 [root] WARNING: Folder at path "C:\kfghOFCpn\tlsdump" does not exist, skipping
2025-12-09 07:15:02,508 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win7-32bit-2	win7-32bit-2	KVM	2025-12-09 15:13:07	2025-12-09 15:16:30	inetsim

File Details

File Name	red_core.exe
File Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File Size	1236992 bytes
MD5	1b6bcbb38921caf347df0a21955771a6
SHA1	f464ca710afb55186e842ecbc550b55174f9261c
SHA256	0c3fc578835db3d9fab6839b0501c274c0e0b739fa0d4c102e21d5f228468d87 [VT] [MWDB] [Bazaar]
SHA3-384	317e2b885809218fa3a54956aace1ac0868d0e5f0d51bc29dfb221fe382d7327a30b4b8bf474ae0ad65eaa3e6725264a
CRC32	D419F5E1
TLSH	T13D45D010B681C437E0AB113445EB93765AAE78311B7AD4CBF7C49B3A2D616D1EB3438E
Ssdeep	12288:y5j+6tvqy0JxsIWTrWqI4KxZdfh4gI/JA6hxc:y5j+6tvqyPLTrQzWvhx
PE	File Strings BinGraph Vba2Graph

C+PjUV

A~w;/u

+":kX

1+1D1b1y1

- unexpected multithread lock error

-j:xC:

3I3N3_3i3s3x3

GetCurrentThreadId

H~N^/

RegSetValueExW

new[]

XUP-[w\

kX(c>

:!:y;

wFQzm

zcFAH

- not enough space for environment

tXFVP

Complete Object Locator'

>TalM

[Left]

095d#

RpcBindingFree

<?jH-

LC_MONETARY

k`='m

tx)V0!B

LoadLibraryW

CoCreateInstance failed: 0x%08lx

GetTimeZoneInformation

united-states

.ShellClassInfo

spanish-panama

*vw3$

9*949j9t9

Q@Qc-

5/6_6l6p6t6x6|6

GetWindowTextW

/+2rh

/z.:`T

0'0M0X0t0)1<1

7"8)8

npze|zL

.?AVlength_error@std@@

HeapCreate

7C7|7

nRX$*

F$9F t

CLPjQV

__ptr64

Sgtv<

GetTickCount

`RTTI

FlsAlloc

2+q9=

dSr^$

"V|MFU

Pf`)T&

ShellTime

E^O2&`4

`a5WH

?9?W?

.?AVout_of_range@std@@

[WIN]

;7|G;p

invalid distance code

operator

E'*88

portuguese-brazilian

.?AV?$codecvt@DDH@std@@

GetVersionExW

j)Z:)

.?AVfacet@locale@std@@

UnregisterClassW

2|fAo

Channel %s was not found.

b`p+s

Win%s %s

='=7=D=V=[=`=e=j=o=

8-9U9

jd_Fj

F`PjNS

m'QO*

p51WD

737E7J7P7B8

Read-only file system

T$@Rj

!n!R\

^(G)a

WriteConsoleW

G`9Gh

!v+Pz

X)$(9

O@;H(s

_oVVi|

?0?P?p?

invalid string position

:f;x;

[F11]

SWf9M

Pf95 /

GetUserNameA

InitializeCriticalSectionAndSpinCount

Il|T1

2E2c2

2.2U2b2h2

incompatible version

.rv?H&

AUX7p

9y@~k

lG*|a{

.?AUctype_base@std@@

\ouv}

u WPS

OaG50

Content-Length: %d

Parameters

WPhL,

TlsAlloc

0XXIf/

bad locale name

australian

6r' 3

;3=E=K=Q=X=a=h=n=u=

$Bk&l

C*PjTV

@_^[]

D+'04

*9PJ?

ServiceDll

:Cw@r`Y

n(9n$u

LoadLibraryA

1L2d2j2

f-]F)

Authorized application %lS is now enabled in the firewall.

CloseServiceHandle

chinese-simplified

}sD!O

rU;WE

;+;7;S;`;l;y;

292@2D2H2L2P2T2X2\2

F\PjMS

LockResource

holland

]?<644

n&@Sf-

dbHm$

0#0,02080K0^0p0

explorer.exe

R6026

This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

\RCoRes64.dat

Tuesday

20f\d

%s: unrecognized option '--%s'

kP;~Cq

spanish-dominican republic

>t99k

LLH@;

gtuNd

DeleteFileW

@}eixU

O5K&$d|

english-ire

"C,Rj

bXWL9

MultiByteToWideChar

J4*L-

A4+C4t

GetPrivateProfileStringW

'\Ob0LI?].[

700PP

lop&z

09i\3

Pe]Bv

america

GetUserNameW

z)}9<

v|G,z

Process32NextW

~$9~ ~

fsO9s

SUVW

2 2$2,2D2T2X2h2l2p2x2

O*9y]

+NBW<

?hSdM

6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6

unknown compression method

No error

RpcStringFreeA

"~e<d

`8i1KR

PQj2R

GetModuleHandleW

2%272I2

>_f0|:

hzT3Yz

.?AVbad_alloc@std@@

optarg_w

,[&-59

>$>2>

ImpersonateLoggedOnUser

:@;S;

abcdefghijklmnopqrstuvwxyz

-.c";,:

35&2i

0DO3P

R1h58

LocalizedResourceName64

asm686 with masm, optimised assembly code from Brian Raiter, written 1998

GetTokenInformation

~a!!a!!

Qkkbal

OpenSCManagerW

UE,3j4

GmRD$

pr-china

0`htU6

L$@Qj

SetHandleCount

`vector vbase copy constructor iterator'

insufficient memory

wY0Un)BJ

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

Ro=o>?

Friday

>9~$~

'--%s'

;-;[;v;

Q5No3

chinese

RegOpenKeyExA

__clrcall

opterr

[jXL<

6cVsA

south africa

\pipe\ntsvcs

__thiscall

6*6Z6

No such device

PjOSj

tej=S

FhPj8S

winlogon.exe

spanish-modern

T$ Rj

zsKC.

;t$,v-

(?F3J:

\0Ro$j}

spanish-costa rica

EncodePointer

Bad file descriptor

<+<D<K<l<~<

<%<*<1<6<<<B<G<O<U<Z<n<

VirtualProtect

english-caribbean

[}8Q}

AdjustTokenPrivileges

- not enough space for stdio initialization

EnterCriticalSection

%s: option '-W %s' doesn't allow an argument

GetFileType

9/9D9P9g9

GetStdHandle

FindResourceExW

&|3K

Not enough space

;:?D?T?

}AbK8>$

vPR_/

!^)M{

<J>C/

WWWWQR

/65&>Y

\$(+^

GetLogicalDrives

515L5V5[5s5}5

j@j ^V

HHty+

;(;0;4;L;P;`;

ewh/?y

9c@O83

oDvm>

D$ )D$

,x#\ k

jdShTB

Vl+Vp

<_xIX

;=;J;m;t;y;~;

,UgLw

SetFilePointer

SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost

\$Dj8

[CTRL]

__cdecl

ConnBody

4L4l4A7c7

Not a directory

Resource deadlock avoided

Type Descriptor'

g".C~

[Home]

OM{]s

[Ixj!

MJZ;n

wLBg

2L3d3

[Time]: %04d-%02d-%02d %02d:%02d:%02d

FtPj;S

k>\y,

OpenServiceW

?&?U?

www.%s.com

? ?*?<?A?K?W?a?k?w?

Gh9Ghr

#+3;CScs

8-9P9[9~9

V_:X1:

generic

COMSysSvc

CreateProcessW

;V;[;m;

tdVQh

uivPG

3=!bW

CorExitProcess

File too large

b;R@Q

Global\{CB191C19-1D2D-45FC-9092-6DB462EFEAC6}

`eh vector vbase constructor iterator'

6$747

(null)

5{<El9']

- Attempt to use MSIL code from this assembly during native code initialization

671{!

spanish-honduras

C9r9e(

{728264DE-3701-419B-84A4-2AD86B0C43A3}

~bO1P

EfFrEF

_getopt_long_only_a@20

5.6B6b6g6<8C8

,W|G&`sd

8!8)81898B8K8W8c8p8w8

(i|LihX

cxy{u

,V{S&E4

xGFf5

3 3/34393

0%0/04090>0E0L0Q0V0[0b0i0o0t0{0

RpcBindingFromStringBindingW

;= 7zdS

spanish-puerto rico

=L9o<

D$DWWj

p=,Y3LP

L$$_^[3

GetCommandLineA

~X2Vh]%

t$(J2

bi{bh

WRh`/

english-belize

Microsoft-Delivery-Optimization/10.0

HeapDestroy

SHLWAPI.dll

.?AV?$_Iosb@H@std@@

german-lichtenstein

DeleteCriticalSection

D$(Ph

RPVW3

1a&.AnVF

8+8^8

`h`hhh

Q'NN&

%B+'J

f!K5k

COMSvcGroup

Z nzs

`udt returning'

hUy5@)us

`placement delete closure'

WindowsFirewallInitialize failed: 0x%08lx

<`>d>h>l>p>t>x>|>

%s: option '--%s' requires an argument

**3~C

invalid bit length repeat

TTl@;

SysAllocString failed: 0x%08lx

CreateFileW

No locks available

CreateService Faild Because Service is ERROR_SERVICE_EXISTS!

[Down]

6J7g7

spanish-uruguay

SetUnhandledExceptionFilter

s'MLG

3d3s3

hong-kong

xpxxxx

NHqa}

=CbZ+

:vp=c

r!S~8

3"3N3U3z3

CoCreateInstance

.text

JXX'b

RtlUnwind

R6032

=$=9=

6*696

:!:@:E:J:P:X:

=:>I>

_getopt_long_only_w@20

q#2;Xa

;T$$f

'Jp,}|

:';7;

&$(Ug

>:u8FV

3m3}3

<P+T1

american-english

~I$1:

'ao^8

ineIu(

8Z$pc

718<8M8Y8a8g8v8

HeapReAlloc

f*(^+

bad exception

0$0)0A0d0h0o0s0z0~0

;4;o;

norwegian

_getopt_long_w@20

.?AV_Iostream_error_category@std@@

T#-H%

Directory not empty

:g873

am/pm

RegOverridePredefKey

http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s

invalid distances set

qcwnO

Is a directory

VirtualAlloc

7S8a8

( 8PX

;7`]cDe

>?j=j

ToieAX*

^e>{SL

FreeEnvironmentStringsW

3%4*4>4M4

>ZbS?

RtlGetVersion

2-2A2G2

[ E<O

Fb:U;

November

IsValidLocale

\cS0~u

pm#k{

608v9

7d7i7o7

7J7Q7X7e7w7

49563

.UG@:

> >J>P>V>l>

L$,Qh

SetEnvironmentVariableW

runtime error

w.SkX

`vbase destructor'

`vector deleting destructor'

*wDE?

%SystemRoot%\system32\svchost.exe -k

&0,0004080

4}<)}A

YM:@+

:QZje

ncacn_np

system

:P;_<

6Aymz

QHG\B

[PageUp]

L$`QR

=gXLn

RnDUFvdXN

D$8t1

G u<Y%

.?AVfailure@ios_base@std@@

S0Y0c0

[ESC]

2"393

>W>c>h>r>

}Do(@_he

DestroyEnvironmentBlock

\j,N)

|620/

!ryyx(

<$<0<<<S<e<q<~<

q![X.

GetFileSize

October

english-aus

R6008

[Num Lock]

spanish-mexican

f9;u

No such file or directory

44)2=

A/^E2

Ad}oJ.

ios_base::failbit set

ExitProcess

%s: unrecognized option '%c%s'

0ZL-i

R6019

Runtime Error!

t$HHt

File exists

qmdvucpg~oKAPMQMDV~uKLFMUQ~aWPPGLVtGPQKML~pWL

>%- B

lPB9}[0

<$xDx

][_^Y

R6016

9](SS

*0;|j

GetForegroundWindow

=H>j>z>

%F2KUO

UnhandledExceptionFilter

<5-rL

282@2L2l2t2

mscoree.dll

7Fn(i

[Context]:

;(v3N

LoadResource

-!/!_

F8PjDS

DefWindowProcW

CreateMutexW

HeapAlloc

MLMqY

IconResource64

8&9:9Q9j9x9

Genuu8

UTF-16LE

%s: option '-W %s' requires an argument

SetThreadContext

lstrcpyW

S3N}^

5!5&5+505g5

oF ej

english-american

VVVVV

SING error

-pVvF

<!<'<;<A<K<R<_<e<

3?3g3m3u3

wf93t

Class Hierarchy Descriptor'

?If90t

HMEr;)

J!=!7

TASKKILL /F /IM rundll32.exe

:Sj$h

delete

u$h@2

tRHtC

="=.=:=E=

GetProcessWindowStation

@PAQBR

xQ(-a

%03X%02X%02X%02X

get_LocalPolicy failed: 0x%08lx

t VV9u

@o'EF~

ProxyServer

Resource device

RpcStringBindingComposeA

Server: nginx/1.4.7

!sMXH

0)0@0Z0a0o0~0

RegCreateKeyW

put_ProcessImageFileName failed: 0x%08lx

LoadUserProfileW

8\cVD

PPPPPPPP

1(181<1L1P1X1p1

w+OQvr

[Title]: %s

3>1>6

2P4T4X4t4x4

4%4B4Z4_4d4i4n4

HtbHu

RWSVP

^ujwQ

9~Ttf

invalid code lengths set

(@<`*`.

{D9AE3AB0-D123-4F38-A9BE-898C8D49A214}

818D8

Y_^[]

\`%^UY

CY</#

Hardware\Description\System\CentralProcessor\0

`vector destructor iterator'

UnloadUserProfile

FTPjKS

6D{T[

mLRmw

qr8yu

[-&LMb#{'

2"2/292?2D2K2d2v2|2

1 1$1(1,1014181<1@1D1

canadian

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

Cookie: %s

tSj=V

__eabi

xSSSh

RPCRT4.dll

rZc9hiq

spanish-guatemala

=\=~=

tna[h<

WindowsFirewallAddApp failed: 0x%08lx

`h````

/$ah<

_ej+y

[N;E{

O(9O$u

GetProcAddress

CHPjPV

FxPj<S

TlsGetValue

_S.FYN@

2@3K3U3f3q315B5J5P5U5[5

QRh -

Permission denied

invalid block type

6E9za2

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

\d^uG

- not enough space for thread data

GetLastError

>oqTn>`x

Y0J}l

Norwegian-Nynorsk

SYSTEM

5)IZ$

5l?@(

dkmr}

7#7G7M7S7b7h7

T@{9{

D$0^][_

//EQ@

F<PjES

!UX:P

|!y~0

wn>Jj

svchost.exe

D$\V3

6]6i6}6

`vector constructor iterator'

Interrupted function call

nGE;5

=,=I=S=h=

YQ$Uc

RegOpenKeyExW

6D7J7X7b7l7w7}7

%s: option requires an argument -- '%c'

WU?CeA

Sunday

C.PjRV

CjRnY?

P1T1X1\1`1d1h1l1p1t1x1|1

u 23X

=e@;}dK

?#?<?Z?

M-QMS

>+>3>8>=>B>G>L>\>i>o>z>

D$<j(

Improper link

- CRT not initialized

T#3aK

GetLocaleInfoA

T!FrY

0;1tt

3p$ )

^TcHJr'

IsBadReadPtr

Sleep

WOW64

-/<Bk]

]H7K#

z^>]x

GetShortPathNameW

>%:Dk

I?{xK

o~08t

9 9<9@9`9

XBoxDllShellCode.dll

4$4*4=4M4U4

H\$v<@

SHGetSpecialFolderPathW

Saturday

F(Pj,S

Vlf+Vd

!! Ij

Result too large

FP|Xt:

zuxVV

.?AV_Generic_error_category@std@@

__stdcall

:a=r?dE

000@0H0\0d0x0

9] SS

5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5

IconResourceDns

D$(+D$

{g]^p

vYslJ

Function not implemented

8I9v9

R6028

Y:wZ"

}u+sWME}

1&1.1>1V1q1v1

QPhP.

or?"gUgW

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

#k+TSpMV

_RZc=

c#tKN

t$D#t$

FR^.,

JT.6n

GetCurrentProcess

Unknown error

T$PWR

`typeof'

2!3Z3

- pure virtual function call

lL(k+

`eh vector copy constructor iterator'

.!S<f`

.?AVios_base@std@@

invalid literal/lengths set

>0>P>l>p>

r(-C,mQ

jjUdE

~7 4y

SizeofResource

</security>

575I5c5}5

#bML"

JDd+~+iG+i

((((( H

aFZjUU

england

:8:h:z:

HODkF

Filename too long

2V2f3x3

dddd, MMMM dd, yyyy

CreateToolhelp32Snapshot

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2x2|2

BQNmn

F@PjFS

xi,mQy

V<GNc

slovak

1;1B1O1a1~1

?"?1?=?

700WP

79FJQ

f^p]p

s*`pR

Agent

*08>5

get_Enabled failed: 0x%08lx

WriteFile

1?1E1K1

LC_ALL

1:CRc\

5\ \#

[,T x0o

=*>?>H>

9d9s9

&psid=

8-999

[F12]

=z!O^

>$>+>2>9>@>G>N>V>^>f>r>{>

]qe1vu

)\ZEo^m/

l~!#S.

WS2_32.dll

GetAsyncKeyState

9>:l:L;

IsDebuggerPresent

r}Ta]

8R{lR

OpenThreadToken

CoInitializeEx failed: 0x%08lx

@.data

FlsFree

F0Pj.S

HttpQueryInfoW

kT0 ~

tvHt#

`eh vector destructor iterator'

ntelu0

WININET.dll

F4Pj/S

|=~?=

L$@Qh,3

.?AVlogic_error@std@@

Domain error

american

- unable to open console device

T$$QUR

4&636

`omni callsig'

Unknown exception

\Parameters\

?s/Zo[

FlsGetValue

`w-8f

oFD><

Q(yA]

8 8,8`8

- floating point support not loaded

optind

<mo84

south-africa

Y!3\s

xppwpp

5%Tf@

3 4.4\4n4s4y4b5

Authorized application %lS is disabled in the firewall.

t*=RCC

`dynamic initializer for '

HtcHt.

InternetCloseHandle

3rB5J

<*<;<t<

L$8QSRVP

6h7u7J8T8

.%J.&

647T7D8m8

4:4W4^4j4q4

spanish-peru

$m[/:

english-can

;ru.r

_ih\ip

Accept-Ranges: bytes

August

R6002

GetOEMCP

[Right]

spanish-ecuador

?5?<?C?s?

D$ j@h

Vista

P8X8`8h8p8x8

.?AVbad_exception@std@@

:D]LQ?

?I?u?

FPPjJS

StartServiceW

=MEw-b

A@(e\

- abort() has been called

]0e0v0

h(((( H

i_#Un

+>UV7

SYSTEM\CurrentControlSet\Services\

`local vftable'

norwegian-nynorsk

ILYhW

j3?-B

french-belgian

EdU/vbt

spanish-colombia

127.0.0.

6zJKv6

spanish-el salvador

;bweA

=T=f=

> ?$?(?,?0?4?8?<?@?D?

1 1$1D1d1

Q?se4

sCI?y8t

s~kAk

,@GU|G

4/4C4T4

`vector copy constructor iterator'

ios_base::badbit set

"M:J57

NJ2"v

YBFrh

9F9n9

EvtSubscribe

6;6N6

)UG6y

Too many open files in system

829d9

$z~#

1D1Q1f1

127.0.0.1

hQT`A

- not enough space for locale information

CreateService Faild Because Service is ERROR_IO_PENDING!

D$hSVWh

=bmd3

D$,uH

grpconv.exe

2s3}3

PS Mk9F;ul

1|f$;i

Oh;O\sR

incorrect length check

&!SGn

FBZ<L]I>

April

__restrict

delete[]

}@y$O&

?(X;9

C$PjQV

09-'M

1G2~2

H*0"ZOW

6H7L7P7T7

rso((

?3?:?D?V?m?{?

InterlockedDecrement

4"4)464V4`4

SSSSS

Z3UJM

DecodePointer

#lR[z

rEAi_)

T$(;P

s7NnN

Too many open files

2012 R2

qUjK`r

Exec format error

9MqLK]

C/PjSV

LCMapStringW

+H-}E#

A8]Cq

P,Q\&

header crc mismatch

TOpRj

german-luxembourg

`Ifr|

`default constructor closure'

j]jVY

URPQQh`

iostream

HeapFree

j#jh(e]

gM)

Ct*BU

.?AVsystem_error@std@@

oXQFD

0F0X0

tR99u2

h4vDl

`local static guard'

HTTP/1.

optarg_a

>)>i>w>

ABCDEFGHIJKLMNOPQRSTUVWXYZ

WriteProcessMemory

%s: invalid option -- '%c'

o5P^"

\ko}E

C,PjVV

dL!ar

1O2k2{2

*K[~Jh

UTF-8

Add failed: 0x%08lx

VirtualFree

|uo;H

Global\{E68DFA68-1132-4A32-ADE2-8C87F282C457}

R6024

031<1H1'2

GetCurrentThread

.?AVexception@std@@

IiGM>nw

F$Pj+Sj

8p~A8;

<7<B<I<

9T:g:|:

RvQ1nm

HHtk2

<(<-<><H<Q<]<g<q<

F|Pj=S

"z[)&oD

t(SSSj

Operation not permitted

u.95\#

0V0]0

J{[{Vs

)YkX>

:.:6:?:x:

=4Ein

InternetOpenUrlA

Hv83yP&

3'3m3

8"9K9\9p9

LA+@V

Supports System COM+ Service, If this service is disabled, users of this computer will not be able to use this service.

CreateProcessAsUserW

EJFZE

mjRry

=.?5?=?E?M?s?

Y__^[

uzu2{

Visual C++ CRT: Not enough memory to complete call to strerror.

yNbBo

stream error

:$:d:n:y:

Resource temporarily unavailable

L$(+L$

UDYiO

aZl[L

:E:o:

unknown header flags set

:*ot~eT

N|o?}

KG^;;

f#5Mf,C=

jjjjjh

#*I0<M[X

NZCe8[X

g!yVV

^oEZ_

QRh0+

.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@

[F10]

hK{IL

&rqw9

HHtYHHt

LookupPrivilegeValueW

[Backspace]

swiss

MessageBoxW

EnumSystemLocalesA

Event/System[EventID=1149]

GetActiveWindow

.rsrc

south-korea

=$=0=6=>=D=P=V=c=m=s=}=

{'F,*

_i#3.

^|lH\q

`virtual displacement map'

GetConsoleCP

english-trinidad y tobago

4:4J4^4j4

December

swedish-finland

0`0m0

v82u$C&

J)5<K2Ge

6E72Ja

Q1}/4V

5fnxLw

#Ol)I

string too long

Base Class Descriptor at (

>ee=u

RaiseException

\T<Po

%[e@U

Cache-Control: no-cache

j.h$E

X\(,]

v"6/s

UQPXY]Y[

6P6u8.:

gCj/J

SetLastError

:E'E7

Gpi3g

< <(<,<4<H<h<t<

CheckTokenMembership

:":>:D:S:m:w:

`eh vector vbase copy constructor iterator'

D-I0Q

cGf6d3

Win%d.%d.%d %s

InitializeCriticalSection

<Enter>

]$:?>

french-canadian

GetLastActivePopup

h qig

8(858@8K8Q8W8]8c8i8F9

Base Class Array'

5#5=5D5Y5`5q5x5

Nlf+Np

dv}0(

This indicates a bug in your application.

F*FVe

german-swiss

uASRS

X.x+n

0A2n2

[Del]

`vcall'

TLOSS error

ioi=e#

?$?0?4?8?<?@?D?H?

R6010

Nl#N4

u)jAXf;

No space left on device

~3()n

xMX!-

KERNEL32.dll

=.>6>t>h?~?

L$XRf

DOMAIN error

SunMonTueWedThuFriSat

SetFileAttributesW

.VBT`V

FLPjIS

KD/yU>

wyO 08

January

CreateWindowExW

v,3;v

%s: option '--%s' doesn't allow an argument

=/=Y=}=

nKERNEL32.DLL

GetConsoleMode

Global\{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273}

gRC"\

GetTimeFormatW

http://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s

2B2L2T2d2j2

J1B244<4

<5<N<j<

TZyHfi

SubscriptionCallback: Unknown action.

InterlockedIncrement

682tB:

gV,z4

&N9c[

NTDLL

Eo>@7

y)-@Ln

IsWow64Process

0L1g1

GetUserObjectInformationW

china

N<'pb

j_E`>=

L$Th@

^R_R)

aSg'M

GetCPInfo

;&<Y<c<i<J=|=

<^jvS

>'>@>

;+N?Rg

m]=PZ

EvtRender

KJVW(

biu9mM

PRhx,

spanish-venezuela

`local static thread guard'

B&b0yL

:,:<:b:

Y8JwV

`managed vector constructor iterator'

0"161L1c1

QueryPerformanceCounter

<iG1[w

H_K!sC"

TlsFree

lXB&z

v)~vN

No such device or address

Q<@WN

V0WSR

Invalid argument

QQSVWd

american english

1A26b

nosvc

b|])Vv@

Content-Type: text/html

`vector vbase constructor iterator'

#eipep

yNGGl

cY>l)

$+^pBG

chinese-singapore

incorrect header check

|$Dj8

[+>ge

04080P0`0d0h0l0t0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

!=ZgI

V,^]3

C2ks=

3n5$6.6

^ZwZ{

6$QxB

chinese-traditional

>9>VpF

WritePrivateProfileStringW

SetEnvironmentVariableA

6,646<6D6L6T6`6

dE!jE

lstrlenA

buffer error

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

UZ7{p{

"A,\n

>G>Q>i>

181H1\1p1|1

RegQueryValueExW

Q&}Cr

FdPjOS

wI%2K

WPh0,

irish-english

belgian

PathFileExistsW

> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>

4h5YE

g@/~Hg

.?AVerror_category@std@@

4)4:4G4R4Y4c4j4

invalid literal/length code

GetUserDefaultLCID

7E7n7x7

Invalid seek

xaV(J

L8<.c

kO=Rnv

Dl|D"

A@SlP2

Connection: Close

rd,eM,<|P

QPh`0

So 'Q[

>(>8><>L>P>T>\>t>

Y/2f)

Program:

:WndClassName

PVVRV

1 1%1-121:1?1F1U1Z1`1i1

FXPjLS

?P?U?

20190318

0[ Ms

.-aS]@

<.)ptJ

%02X%02X%02X%02X%02X%02X

GetComputerNameA

toiyeuvn.dongaruou.com

1.2.8

USER32.dll

7{F*,7

qas<#

55N]M%

BR;}2%

c|Q0

tce}+L9=

F:+Sf

TerminateProcess

Process32FirstW

3 383H3L3\3`3d3l3

t?VSP

SetStdHandle

cmmon32.exe

=4TH}3

8%9*9{9

>Y DO

WTSGetActiveConsoleSessionId

WdMo=

invalid distance too far back

SetTokenInformation

WinExec

[a{wY

I%:XKX

IPHLPAPI.DLL

GetSystemInfo

ProcessIdToSessionId

F6Ih!

great britain

stream end

spanish-argentina

GetLocaleInfoW

b+|,%

[PageDown]

french-luxembourg

qrAGL

VRPQh

1BPij[Z

C)-{c

4-<*C\K

K\F\\

S)w'=TX

7]7c7

>$>(>,>0>4>8><>@>

]Mj~j

uTVWh

InternetOpenW

3)3M3x4

iostream stream error

Arg list too long

\B#1_

8$8c8o8~8

<%<C<%=

- unexpected heap error

english-jamaica

4$4(484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4

<T=p=v=

RegOpenCurrentUser

RpcStringFreeW

GetProcessHeap

ViD-s

2#2)232<2G2L2U2_2j2

OtXhWs

V|yBn

ios_base::eofbit set

9F se

0 0@0`0

~z<|wg

T$ Rh?

@.reloc

LocalAlloc

[Space]

Microsoft Visual C++ Runtime Library

2)272L2V2|2

@)mh>

- not enough space for arguments

\desktop.ini

QM?k{C

O<5.nQ

english-us

8(KKC

x)%<M

s.Wj

'dV;|

english-uk

L$t_^[3

__fastcall

`string'

ole32.dll

2]u2h[Zm

GetStartupInfoW

bmB=S

[wuwC

z\Cq%

84L\;

4E5X5h5+737=7M7Y7_7i7y7

HHtXHHt

bad cast

|TXX`

get_CurrentProfile failed: 0x%08lx

need dictionary

RegCloseKey

english-usa

CreateServiceW

vQO+t

GetSystemTimeAsFileTime

g?`X7

ExitThread

3T3Y3_3

spanish-bolivia

394?4Q4n4

hrqHr

%^'N8

A#a+Rih

MM/dd/yy

:0Bv\~

hE:%wfF

1nLZv

.?AV_Locimp@locale@std@@

|$ WSPV

- unable to initialize heap

9~4u(

`f\esm4Uw

FlushFileBuffers

ifu{w

R6031

mj>zjZ

CreateThread

w<+wt

GetAdaptersInfo

xl>J$Qk

Core Networking - IPv4 (IPv4-In)

dutch-belgian

*#\&w

9Ghs%

GetDateFormatW

EvtSubscribe failed with %lu.

IconResourcePort

?%?*?3?9?>?G?M?R?[?`?e?j?s?{?

^{m#wS

7<7H7h7t7

w_$mc8-

t"SS9] u

`scalar deleting destructor'

B(^uH

1wsHp

?4?L?V?e?

4Z=bz

uu4A}

Y_;q+

=/gQGR_

GetModuleFileNameA

^SSSSS

Pj)Sj

March

lstrlenW

y|$1nk

WWWWW

south korea

Bad address

WaitForMultipleObjects

@C2%`

%s: option '-W %s' is ambiguous

DuplicateToken

GetACP

3!K1p

german-austrian

qSx<W

%s: option '%c%s' doesn't allow an argument

j]jl3

J'UW4R

38K=V

t%HHt

ADVAPI32.dll

6o7w7

SHELL32.dll

OSWqy

: :(:0:8:@:H:P:X:`:h:p:x:

R6027

`local vftable constructor closure'

english-nz

CONOUT$

OpenMutexW

GetMessageW

</requestedPrivileges>

</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

3+3M3|3

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299

tCHt(Ht

FDPjGS

ReadFile

WindowsFirewallAppIsEnabled failed: 0x%08lx

DispatchMessageW

HTTP/1.1 200 OK

referer=

Xu"x)

WTSAPI32.dll

W}R9b

WinSta0\Default

CreateEnvironmentBlock

GlobalMemoryStatusEx

MF9YX

C PjPV

16YC'

=%=*=/=4=D=s=y=

c8_'

.rb40

0`1d1

msgsm64.acm

^da<mn

.(9^/

PdZSU

Wj@hP

2D3J3X3b3l3w3}3

556v6

DuplicateTokenEx

GetCurrentProcessId

-X,sF

.?AVcodecvt_base@std@@

=(=4=P=p=

vvi?P

`eh vector constructor iterator'

=Z;j~

QW@Ph

FreeLibrary

P+!3l(

0G0P0\0

<4>J>

bad allocation

0(3+nG/

tNHt%

EF,+Z*

)g%Fd%

invalid stored block lengths

^cmv6

<1^OW

data error

%Qu6v7

Monday

6K6R6e6l6v6

k%"A1

incorrect data check

KSb\KS

7mu:*0R

.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@

93Y,4

Tf^tK

1Bn`8

ActiveX Update

~,WPV

WQh$/

7'838F8X8s8{8

\desktopWOW64.ini

h4btB*e

On0ykRZ

+G{@P

4G5M5`5

HH:mm:ss

<"=T=|=

('8PW

lstrcpyA

JanFebMarAprMayJunJulAugSepOctNovDec

[Insert]

chinese-hongkong

T$"Rf

LC_CTYPE

6`7`!@

#OVy%

SetEndOfFile

- not enough space for lowio initialization

POSIXLY_CORRECT

&8|gq

j2hTB

4=4D4[4x4

tx~?j

GetLocalTime

/vEU

ChangeServiceConfig2W

UNICODE

^MnO>

]V2[\?

Authorized application %lS is enabled in the firewall.

_getopt_a@12

JbN\<

OLEAUT32.dll

u&WVS

r]X<]=

6 6$6(6,6064686H6L6`6d6h6

UTB)/

CoInitializeEx

_getopt_long_a@20

<&=4=W=^=d=q=

:3:V:

R6030

GetNativeSystemInfo

5"5+515a5p7x7

.t|PVj@

3(>4>@>L>X>d>p>|>

R6033

((b8WI

SVWUj

?+f{$

0#0(0,000Y0

GetSystemDirectoryW

.?AV?$ctype@D@std@@

HttpQueryInfoA

FlsSetValue

get_AuthorizedApplications failed: 0x%08lx

/hPj<

6Cj>M

LeaveCriticalSection

britain

U]Ofm7

Cs->%

jjjjj

Y/L '?

February

`7]=G

= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=

v}{f[Fi{F

Q%dm1

FYY;u

?(?/?4?8?<?]?

20393?3D3\3v3

[End]

[Enter]

SetErrorMode

Wednesday

;]xs_r+

.?AVruntime_error@std@@

7lUJL

IsValidCodePage

WaitForSingleObject

IJB/m

Fast decoding Code from Chris Anderson

+D$(;

xsfRO

Thursday

September

FHPjHS

[~_=d

roF l

w_hZ=_

_a->D

.?AV_System_error_category@std@@

8'8/8?8E8V8

<%<f<

:;];!

__pascal

6[ZYw

F,Pj-S

\ws^o

spanish-nicaragua

CoUninitialize

:*P|Rs

;4;Q;

WUSER32.DLL

:-8[:]

PijU19hgT

1-1:1?1M1(2

The query "%s" is not valid.

_<<K*D

1}0.}'W^g

*N4Nj*

OpenProcessToken

G\.@6

OZw3(?

`vbtable'

- Attempt to initialize the CRT more than once.

4(4,4044484@4X4h4l4|4

Fwr:b

%s: option '%s' is ambiguous; possibilities:

8)8L8

M9=$t

FpPj:S

<6O/v/

No such process

`copy constructor closure'

r] `=

WQhL,

2,2h2

>8?d?y?

<3<R<

.?AVCAtlException@ATL@@

2Q2i2

CYLHq#g

2008R2

4C5@6

&v%OVA

]5->@WM2

;+Y;g

.?AVtype_info@@

mR/@c

Illegal byte sequence

8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8

[TAB]

T$`RP

wsc.dll

C{rHh

UumTM

VG\K}Q

wkPSQR

434D4Q4X4h4z4

RpcBindingFromStringBindingA

SQuK<

F,^]3

Win%s Sp%d %s

R6018

D$8+F

LC_COLLATE

R6025

AO-q4

CreateWellKnownSid

1 1@1

PPPh`I

uvh 5

8sPv^

+SXN[

=3Zo]

WGqrI0

english-south africa

RpcStringBindingComposeW

put_Name failed: 0x%08lx

FlPj9S

`placement delete[] closure'

s^{IG

(|>U>

GetModuleFileNameW

TlsSetValue

</trustInfo>

{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB}

H#5`t[

optopt

GetCommandLineW

)G^`M

COM+ Support Service

__unaligned

PPPPP

GetStringTypeW

"meI[N~n

/1q`L<aN

CloseHandle

0$060H0Z0l0~0

J'T?v/

[Print Screen]

USERENV.dll

WTSQueryUserToken

Y_)*#K

FindResourceW

:4)o;

ZJY2/

>$?G?Q?

Rc8-(

5 6?6^6

Af9q.

/AjV'<i

!p;"6

Input/output error

Inappropriate I/O control operation

]M`|_M

.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@

3 3(343T3\3h3

l6qnk

__based(

< tK<

SeDebugPrivilege

new-zealand

gU<CJn

}8Dp]

Too many links

R~??@Z$

&AZQ+6G

wrbg?

GetThreadContext

O.[/s"wP

tAVWP

>*?<?

LocalFree

@e3@e)

O92vI

O@;H s

LC_NUMERIC

Dn#]&

X_U*

`dynamic atexit destructor for '

a+-C}

QU3t;P

PKCRi7

QQSV3

[#p^f

5B5V5j5

C-PjWV

>%>?>K>h>

2G2]2t2

ProxyEnable

KA!H;

9|$`r

=<S;D

%>--v

@PSVV

Broken pipe

pr china

t$j4j

OpenProcess

;Q;g;

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2

invalid code -- missing end-of-block

-GGhB

F Pj*S

0l1r1

[Scroll Lock]

%!DVDN

5R@FV

737_7l7

too many length or distance symbols

#;6Y;

Ap{Fx

tl9_ tg9_$tb

norwegian-bokmal

RegisterClassExW

]5+lj

4(454@4K4Q4W4]4c4i4

file error

5 6J6}6

5"5,5`5k5u5

`managed vector copy constructor iterator'

3/3I3

- not enough space for _onexit/atexit table

InternetSetOptionW

K#~0 }

4.4}4

invalid window size

.?AVbad_cast@std@@

9%:?:H:o:|:

PQP7X

TranslateMessage

N,_^]3

CompareStringW

?H>(=

=o<~Q

= =$=,=D=T=X=h=l=p=t=|=

1O0<O

No child processes

italian-swiss

french-swiss

? ?$?,?D?T?X?h?l?p?x?

HjdSh

;-]sI

QSWVj

Ea=2yQ|

'n):2

PRhh+

R6017

=*=3=8=B=L=X=]=

5w",

spanish-paraguay

i]=Avd

$[^_]

4ordJ

^Gupl

J/jx>

spanish-chile

WAsN.

czech

cTt-A;

trinidad & tobago

|~M/<Vy

L$ H#

h:l:p:t:x:|:

F ;F$t

QQQQV

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

qwJBg

P^HVn

~@yqu`H

WideCharToMultiByte

3l4t4

ReleaseMutex

OPqjg

http://%s:%d/

/dy_M

HeapSize

WSAIoctl

0g1w1

LC_TIME

9|$(t

t!WVj

VirtualAllocEx

RJ/RJ

BnKeN

O.kB!

tEHt0

5v8z8~8

N5"a}

>L>T>b>r>x>

_,`'>

IsProcessorFeaturePresent

R6009

0"010?0I0O0e0j0r0x0

F0WSP

`managed vector destructor iterator'

$3Ljq\

9F9M9b9

t-u"=%N(

IconResourceNoSvc

,jWRM

.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@

K39X@%

united-kingdom

`VTH/2:

L$ Qh

9$9,949<9D9L9T9\9d9l9t9|9

CreateEventW

VVVVj

_getopt_w@12

GetEnvironmentStringsW

$\"|Fr

% *;WD

`vftable'

5 5(50585<5@5H5\5d5l5t5x5|5

wevtapi.dll

f6B@E

P>OTq

puerto-rico

9c:h:q:

9 9(90989@9H9P9X9`9h9p9x9

GF?.x

: :<:@:`:

:IW`(L]

mZKk~O.I

}}l;Fuf

mF3$d

6]O7*U

9|$|r

`.rdata

3=4W4

ResumeThread

qX1g2c:

GD)op)ol

GetKeyState

q:Pl?!

D$8SVW

OutputDebugStringW

VVVVVQRSSj

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Exported DLL Name
0x10000000	0x00012bf2	0x00067f0d	0x0013206b	5.1	2019-03-06 10:20:32	37e48d0816c7485d18b7cc3e0d8ed0a0	XBoxDllShellCode.dll

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002a106	0x0002a200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.67
.rdata	0x0002a600	0x0002c000	0x0000c99e	0x0000ca00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.80
.data	0x00037000	0x00039000	0x0002d8ac	0x00029200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.94
.rsrc	0x00060200	0x00067000	0x000001b4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.12
.reloc	0x00060400	0x00068000	0x0000311e	0x00003200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.35

Overlay

Offset	0x00063600
Size	0x000caa00

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_MANIFEST	0x00067058	0x0000015a	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.80	None

Imports

Name	Address
SizeofResource	0x1002c07c
LockResource	0x1002c080
WaitForMultipleObjects	0x1002c084
WinExec	0x1002c088
SetFileAttributesW	0x1002c08c
lstrcpyA	0x1002c090
GetNativeSystemInfo	0x1002c094
FreeLibrary	0x1002c098
HeapAlloc	0x1002c09c
HeapFree	0x1002c0a0
VirtualFree	0x1002c0a4
GetProcessHeap	0x1002c0a8
IsBadReadPtr	0x1002c0ac
SetLastError	0x1002c0b0
GetProcAddress	0x1002c0b4
LoadLibraryA	0x1002c0b8
VirtualProtect	0x1002c0bc
WaitForSingleObject	0x1002c0c0
OpenMutexW	0x1002c0c4
GetLocalTime	0x1002c0c8
ReleaseMutex	0x1002c0cc
GetCommandLineW	0x1002c0d0
GetComputerNameA	0x1002c0d4
GetModuleHandleW	0x1002c0d8
GetCurrentThread	0x1002c0dc
OpenProcess	0x1002c0e0
GetVersionExW	0x1002c0e4
Process32FirstW	0x1002c0e8
LocalAlloc	0x1002c0ec
IsWow64Process	0x1002c0f0
GlobalMemoryStatusEx	0x1002c0f4
CreateEventW	0x1002c0f8
GetSystemInfo	0x1002c0fc
Process32NextW	0x1002c100
CreateToolhelp32Snapshot	0x1002c104
DeleteFileW	0x1002c108
LocalFree	0x1002c10c
OutputDebugStringW	0x1002c110
SetStdHandle	0x1002c114
WriteConsoleW	0x1002c118
SetEnvironmentVariableA	0x1002c11c
SetEnvironmentVariableW	0x1002c120
CompareStringW	0x1002c124
IsValidLocale	0x1002c128
EnumSystemLocalesA	0x1002c12c
GetLocaleInfoA	0x1002c130
GetUserDefaultLCID	0x1002c134
SetFilePointer	0x1002c138
LoadResource	0x1002c13c
GetSystemTimeAsFileTime	0x1002c140
FindResourceW	0x1002c144
FindResourceExW	0x1002c148
CreateThread	0x1002c14c
lstrcpyW	0x1002c150
ResumeThread	0x1002c154
WriteProcessMemory	0x1002c158
CloseHandle	0x1002c15c
GetShortPathNameW	0x1002c160
WTSGetActiveConsoleSessionId	0x1002c164
ProcessIdToSessionId	0x1002c168
VirtualAllocEx	0x1002c16c
VirtualAlloc	0x1002c170
GetLastError	0x1002c174
WritePrivateProfileStringW	0x1002c178
lstrlenW	0x1002c17c
MultiByteToWideChar	0x1002c180
CreateFileW	0x1002c184
GetModuleFileNameW	0x1002c188
ReadFile	0x1002c18c
Sleep	0x1002c190
WideCharToMultiByte	0x1002c194
GetSystemDirectoryW	0x1002c198
GetPrivateProfileStringW	0x1002c19c
GetLogicalDrives	0x1002c1a0
GetCurrentProcess	0x1002c1a4
CreateProcessW	0x1002c1a8
SetErrorMode	0x1002c1ac
lstrlenA	0x1002c1b0
SetThreadContext	0x1002c1b4
CreateMutexW	0x1002c1b8
GetFileSize	0x1002c1bc
GetThreadContext	0x1002c1c0
GetCurrentProcessId	0x1002c1c4
GetTickCount	0x1002c1c8
QueryPerformanceCounter	0x1002c1cc
GetModuleFileNameA	0x1002c1d0
GetLocaleInfoW	0x1002c1d4
SetEndOfFile	0x1002c1d8
LoadLibraryW	0x1002c1dc
GetTimeZoneInformation	0x1002c1e0
GetConsoleMode	0x1002c1e4
GetConsoleCP	0x1002c1e8
GetStringTypeW	0x1002c1ec
GetEnvironmentStringsW	0x1002c1f0
FreeEnvironmentStringsW	0x1002c1f4
GetStartupInfoW	0x1002c1f8
GetFileType	0x1002c1fc
InitializeCriticalSectionAndSpinCount	0x1002c200
SetHandleCount	0x1002c204
HeapSize	0x1002c208
TlsFree	0x1002c20c
TlsSetValue	0x1002c210
TlsGetValue	0x1002c214
TlsAlloc	0x1002c218
IsValidCodePage	0x1002c21c
GetOEMCP	0x1002c220
GetACP	0x1002c224
GetStdHandle	0x1002c228
WriteFile	0x1002c22c
HeapDestroy	0x1002c230
HeapCreate	0x1002c234
IsProcessorFeaturePresent	0x1002c238
IsDebuggerPresent	0x1002c23c
SetUnhandledExceptionFilter	0x1002c240
UnhandledExceptionFilter	0x1002c244
TerminateProcess	0x1002c248
GetCPInfo	0x1002c24c
LCMapStringW	0x1002c250
RtlUnwind	0x1002c254
RaiseException	0x1002c258
GetCommandLineA	0x1002c25c
GetCurrentThreadId	0x1002c260
GetDateFormatW	0x1002c264
GetTimeFormatW	0x1002c268
HeapReAlloc	0x1002c26c
ExitThread	0x1002c270
LeaveCriticalSection	0x1002c274
EnterCriticalSection	0x1002c278
DeleteCriticalSection	0x1002c27c
InitializeCriticalSection	0x1002c280
FlushFileBuffers	0x1002c284
ExitProcess	0x1002c288
DecodePointer	0x1002c28c
EncodePointer	0x1002c290
InterlockedDecrement	0x1002c294
InterlockedIncrement	0x1002c298

Name	Address
GetAsyncKeyState	0x1002c2e0
GetForegroundWindow	0x1002c2e4
GetKeyState	0x1002c2e8
GetWindowTextW	0x1002c2ec
GetMessageW	0x1002c2f0
TranslateMessage	0x1002c2f4
RegisterClassExW	0x1002c2f8
CreateWindowExW	0x1002c2fc
DefWindowProcW	0x1002c300
DispatchMessageW	0x1002c304
UnregisterClassW	0x1002c308

Name	Address
ImpersonateLoggedOnUser	0x1002c000
StartServiceW	0x1002c004
ChangeServiceConfig2W	0x1002c008
RegCreateKeyW	0x1002c00c
OpenServiceW	0x1002c010
OpenSCManagerW	0x1002c014
CloseServiceHandle	0x1002c018
CreateServiceW	0x1002c01c
CreateWellKnownSid	0x1002c020
CheckTokenMembership	0x1002c024
GetUserNameA	0x1002c028
RegOpenCurrentUser	0x1002c02c
OpenProcessToken	0x1002c030
DuplicateToken	0x1002c034
GetTokenInformation	0x1002c038
RegOverridePredefKey	0x1002c03c
OpenThreadToken	0x1002c040
GetUserNameW	0x1002c044
RegSetValueExW	0x1002c048
RegCloseKey	0x1002c04c
AdjustTokenPrivileges	0x1002c050
RegOpenKeyExW	0x1002c054
DuplicateTokenEx	0x1002c058
RegOpenKeyExA	0x1002c05c
LookupPrivilegeValueW	0x1002c060
SetTokenInformation	0x1002c064
CreateProcessAsUserW	0x1002c068
RegQueryValueExW	0x1002c06c

Name	Address
SHGetSpecialFolderPathW	0x1002c2d0

Name	Address
CoInitializeEx	0x1002c39c
CoUninitialize	0x1002c3a0
CoCreateInstance	0x1002c3a4

Name	Address
SysStringLen	0x1002c2a0
SysAllocString	0x1002c2a4
SysFreeString	0x1002c2a8

Name	Address
PathFileExistsW	0x1002c2d8

Name	Address
HttpQueryInfoA	0x1002c324
InternetOpenUrlA	0x1002c328
InternetSetOptionW	0x1002c32c
HttpQueryInfoW	0x1002c330
InternetCloseHandle	0x1002c334
InternetOpenW	0x1002c338

Name	Address
WTSQueryUserToken	0x1002c394

Name	Address
CreateEnvironmentBlock	0x1002c310
DestroyEnvironmentBlock	0x1002c314
LoadUserProfileW	0x1002c318
UnloadUserProfile	0x1002c31c

Name	Address
EvtSubscribe	0x1002c3ac
EvtRender	0x1002c3b0

Name	Address
connect	0x1002c340
accept	0x1002c344
getpeername	0x1002c348
gethostname	0x1002c34c
socket	0x1002c350
inet_ntoa	0x1002c354
listen	0x1002c358
send	0x1002c35c
gethostbyname	0x1002c360
closesocket	0x1002c364
__WSAFDIsSet	0x1002c368
WSAStartup	0x1002c36c
inet_addr	0x1002c370
select	0x1002c374
htons	0x1002c378
bind	0x1002c37c
recv	0x1002c380
WSACleanup	0x1002c384
setsockopt	0x1002c388
WSAIoctl	0x1002c38c

Name	Address
GetAdaptersInfo	0x1002c074

Name	Address
RpcBindingFree	0x1002c2b0
RpcStringBindingComposeW	0x1002c2b4
RpcBindingFromStringBindingW	0x1002c2b8
RpcStringFreeA	0x1002c2bc
RpcStringBindingComposeA	0x1002c2c0
RpcStringFreeW	0x1002c2c4
RpcBindingFromStringBindingA	0x1002c2c8

Exports

Name	Address	Ordinal
_getopt_a@12	0x10002740	1
_getopt_long_a@20	0x100027a0	2
_getopt_long_only_a@20	0x10002810	3
_getopt_long_only_w@20	0x10003410	4
_getopt_long_w@20	0x100033a0	5
_getopt_w@12	0x10003340	6
optarg_a	0x100668a8	7
optarg_w	0x100668a4	8
opterr	0x1006190c	9
optind	0x1006178c	10
optopt	0x10061aac	11

Reports: JSON HTML Lite

Mitre ATT&CK

Discovery	Command and Control	Defense Evasion	Privilege Escalation
T1082 - System Information Discovery antivm_checks_available_memory	T1071 - Application Layer Protocol procmem_yara static_pe_anomaly	T1202 - Indirect Command Execution suspicious_command_tools T1036 - Masquerading network_connection_via_suspicious_process accesses_public_folder modifies_windows_system_files T1055 - Process Injection network_connection_via_suspicious_process resumethread_remote_process T1548 - Abuse Elevation Control Mechanism accesses_public_folder T1027 - Obfuscated Files or Information packer_entropy T1027.002 - Software Packing packer_entropy	T1055 - Process Injection network_connection_via_suspicious_process resumethread_remote_process T1548 - Abuse Elevation Control Mechanism accesses_public_folder

Statistics (7.89)

Usage

Processing ( 4.73 seconds )

3.067 CAPE
0.74 Heatmap
0.707 NetworkAnalysis
0.21 BehaviorAnalysis
0.004 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.013 antiav_detectreg
0.006 ransomware_files
0.005 infostealer_ftp
0.004 antianalysis_detectfile
0.004 ransomware_extensions
0.003 antianalysis_detectreg
0.003 infostealer_im
0.003 territorial_disputes_sigs
0.002 antiav_detectfile
0.002 infostealer_mail
0.002 poullight_files
0.001 network_dyndns
0.001 antivm_generic_diskreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 antivm_xen_keys
0.001 ketrican_regkeys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 darkcomet_regkeys
0.001 disables_backups
0.001 disables_browser_warn
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 echelon_files
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 recon_fingerprint
0.001 ursnif_behavior

Reporting ( 3.09 seconds )

2.98 MITRE_TTPS
0.086 ReportHTML
0.012 LiteReport
0.012 JsonDump

Signatures

Checks available memory

A file was accessed within the Public folder.

file: C:\Users\Public\Documents\desktop.ini

SetUnhandledExceptionFilter detected (possible anti-debug)

At least one process apparently crashed during execution

Possible date expiration check, exits too soon after checking local time

process: rundll32.exe, PID 2848

Dynamic (imported) function loading detected

DynamicLoader: red_core.exe.dll/

DynamicLoader: uxtheme.dll/ThemeInitApiHook

DynamicLoader: WS2_32.dll/

DynamicLoader: WS2_32.dll/WSAIoctl

DynamicLoader: WS2_32.dll/

DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange

DynamicLoader: USER32.dll/IsProcessDPIAware

DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled

DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange

DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx

DynamicLoader: IPHLPAPI.DLL/GetIfEntry2

DynamicLoader: ntdll.dll/RtlGetVersion

DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW

DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW

DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW

DynamicLoader: RPCRT4.dll/RpcBindingSetOption

DynamicLoader: RPCRT4.dll/RpcStringFreeW

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: kernel32.dll/GlobalFlags

DynamicLoader: kernel32.dll/GetCurrentThreadId

DynamicLoader: kernel32.dll/GlobalAddAtomW

DynamicLoader: kernel32.dll/GetModuleHandleA

DynamicLoader: kernel32.dll/GetVersionExA

DynamicLoader: kernel32.dll/LoadLibraryA

DynamicLoader: kernel32.dll/GlobalDeleteAtom

DynamicLoader: kernel32.dll/GlobalFindAtomW

DynamicLoader: kernel32.dll/CompareStringA

DynamicLoader: kernel32.dll/GetDriveTypeA

DynamicLoader: kernel32.dll/GetCurrentDirectoryA

DynamicLoader: kernel32.dll/WriteConsoleW

DynamicLoader: kernel32.dll/GetConsoleOutputCP

DynamicLoader: kernel32.dll/WriteConsoleA

DynamicLoader: kernel32.dll/GetLocaleInfoA

DynamicLoader: kernel32.dll/GetStringTypeW

DynamicLoader: kernel32.dll/GetStringTypeA

DynamicLoader: kernel32.dll/LCMapStringA

DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime

DynamicLoader: kernel32.dll/GetTickCount

DynamicLoader: kernel32.dll/lstrcmpW

DynamicLoader: kernel32.dll/GetEnvironmentStringsW

DynamicLoader: kernel32.dll/FreeEnvironmentStringsW

DynamicLoader: kernel32.dll/GetEnvironmentStrings

DynamicLoader: kernel32.dll/FreeEnvironmentStringsA

DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount

DynamicLoader: kernel32.dll/GetExitCodeProcess

DynamicLoader: kernel32.dll/GetDateFormatA

DynamicLoader: kernel32.dll/GetTimeFormatA

DynamicLoader: kernel32.dll/LCMapStringW

DynamicLoader: kernel32.dll/GetConsoleMode

DynamicLoader: kernel32.dll/GetConsoleCP

DynamicLoader: kernel32.dll/GetTimeZoneInformation

DynamicLoader: kernel32.dll/IsValidCodePage

DynamicLoader: kernel32.dll/GetOEMCP

DynamicLoader: kernel32.dll/GetACP

DynamicLoader: kernel32.dll/GetCPInfo

DynamicLoader: kernel32.dll/GetModuleFileNameA

DynamicLoader: kernel32.dll/VirtualFree

DynamicLoader: kernel32.dll/HeapDestroy

DynamicLoader: kernel32.dll/HeapCreate

DynamicLoader: kernel32.dll/ExitProcess

DynamicLoader: kernel32.dll/HeapSize

DynamicLoader: kernel32.dll/RaiseException

DynamicLoader: kernel32.dll/RtlUnwind

DynamicLoader: kernel32.dll/HeapReAlloc

DynamicLoader: kernel32.dll/GetCommandLineA

DynamicLoader: kernel32.dll/GetStartupInfoA

DynamicLoader: kernel32.dll/GetFileType

DynamicLoader: kernel32.dll/SetHandleCount

DynamicLoader: kernel32.dll/CreateThread

DynamicLoader: kernel32.dll/ExitThread

DynamicLoader: kernel32.dll/IsDebuggerPresent

DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter

DynamicLoader: kernel32.dll/UnhandledExceptionFilter

DynamicLoader: kernel32.dll/InterlockedIncrement

DynamicLoader: kernel32.dll/CompareStringW

DynamicLoader: kernel32.dll/FreeLibrary

DynamicLoader: kernel32.dll/InterlockedDecrement

DynamicLoader: kernel32.dll/GetModuleHandleW

DynamicLoader: kernel32.dll/TlsFree

DynamicLoader: kernel32.dll/DeleteCriticalSection

DynamicLoader: kernel32.dll/LocalReAlloc

DynamicLoader: kernel32.dll/TlsSetValue

DynamicLoader: kernel32.dll/TlsAlloc

DynamicLoader: kernel32.dll/InitializeCriticalSection

DynamicLoader: kernel32.dll/GlobalHandle

DynamicLoader: kernel32.dll/GlobalReAlloc

DynamicLoader: kernel32.dll/EnterCriticalSection

DynamicLoader: kernel32.dll/TlsGetValue

DynamicLoader: kernel32.dll/LeaveCriticalSection

DynamicLoader: kernel32.dll/LocalAlloc

DynamicLoader: kernel32.dll/GetCurrentProcessId

DynamicLoader: kernel32.dll/lstrcmpA

DynamicLoader: kernel32.dll/GetFileTime

DynamicLoader: kernel32.dll/GetFileSizeEx

DynamicLoader: kernel32.dll/GetFileAttributesW

DynamicLoader: kernel32.dll/GetProcAddress

DynamicLoader: kernel32.dll/GetModuleFileNameW

DynamicLoader: kernel32.dll/GetFullPathNameW

DynamicLoader: kernel32.dll/SetEndOfFile

DynamicLoader: kernel32.dll/UnlockFile

DynamicLoader: kernel32.dll/LockFile

DynamicLoader: kernel32.dll/FlushFileBuffers

DynamicLoader: kernel32.dll/SetFilePointer

DynamicLoader: kernel32.dll/LoadLibraryW

DynamicLoader: kernel32.dll/FindFirstFileW

DynamicLoader: kernel32.dll/FileTimeToLocalFileTime

DynamicLoader: kernel32.dll/FileTimeToSystemTime

DynamicLoader: kernel32.dll/FindNextFileW

DynamicLoader: kernel32.dll/FindClose

DynamicLoader: kernel32.dll/GlobalFree

DynamicLoader: kernel32.dll/GlobalAlloc

DynamicLoader: kernel32.dll/GlobalLock

DynamicLoader: kernel32.dll/GlobalUnlock

DynamicLoader: kernel32.dll/FormatMessageW

DynamicLoader: kernel32.dll/LocalFree

DynamicLoader: kernel32.dll/SetLastError

DynamicLoader: kernel32.dll/WideCharToMultiByte

DynamicLoader: kernel32.dll/GetLastError

DynamicLoader: kernel32.dll/MultiByteToWideChar

DynamicLoader: kernel32.dll/lstrlenA

DynamicLoader: kernel32.dll/ReleaseMutex

DynamicLoader: kernel32.dll/CreateMutexW

DynamicLoader: kernel32.dll/GetProcessHeap

DynamicLoader: kernel32.dll/HeapFree

DynamicLoader: kernel32.dll/HeapAlloc

DynamicLoader: kernel32.dll/GetComputerNameA

DynamicLoader: kernel32.dll/GetPrivateProfileStringW

DynamicLoader: kernel32.dll/GetVolumeInformationW

DynamicLoader: kernel32.dll/DeleteFileW

DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW

DynamicLoader: kernel32.dll/SetCurrentDirectoryW

DynamicLoader: kernel32.dll/LockResource

DynamicLoader: kernel32.dll/MoveFileW

DynamicLoader: kernel32.dll/GetTempPathW

DynamicLoader: kernel32.dll/lstrlenW

DynamicLoader: kernel32.dll/SizeofResource

DynamicLoader: kernel32.dll/CreateDirectoryW

DynamicLoader: kernel32.dll/GetLogicalDriveStringsW

DynamicLoader: kernel32.dll/LoadResource

DynamicLoader: kernel32.dll/FindResourceW

DynamicLoader: kernel32.dll/SetErrorMode

DynamicLoader: kernel32.dll/GetDriveTypeW

DynamicLoader: kernel32.dll/Sleep

DynamicLoader: kernel32.dll/lstrcpyA

DynamicLoader: kernel32.dll/WaitForMultipleObjects

DynamicLoader: kernel32.dll/ResetEvent

DynamicLoader: kernel32.dll/DuplicateHandle

DynamicLoader: kernel32.dll/CreatePipe

DynamicLoader: kernel32.dll/CreateEventW

DynamicLoader: kernel32.dll/SetStdHandle

DynamicLoader: kernel32.dll/GetStdHandle

DynamicLoader: kernel32.dll/GetCurrentProcess

DynamicLoader: kernel32.dll/CreateProcessW

DynamicLoader: kernel32.dll/GetEnvironmentVariableW

DynamicLoader: kernel32.dll/lstrcpyW

DynamicLoader: kernel32.dll/ResumeThread

DynamicLoader: kernel32.dll/WriteProcessMemory

DynamicLoader: kernel32.dll/CloseHandle

DynamicLoader: kernel32.dll/WinExec

DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot

DynamicLoader: kernel32.dll/WTSGetActiveConsoleSessionId

DynamicLoader: kernel32.dll/Process32NextW

DynamicLoader: kernel32.dll/Process32FirstW

DynamicLoader: kernel32.dll/VirtualAllocEx

DynamicLoader: kernel32.dll/VirtualAlloc

DynamicLoader: kernel32.dll/WritePrivateProfileStringW

DynamicLoader: kernel32.dll/CreateFileW

DynamicLoader: kernel32.dll/ReadFile

DynamicLoader: kernel32.dll/TerminateProcess

DynamicLoader: kernel32.dll/GetSystemDirectoryW

DynamicLoader: kernel32.dll/SetEnvironmentVariableA

DynamicLoader: kernel32.dll/OpenProcess

DynamicLoader: kernel32.dll/WriteFile

DynamicLoader: kernel32.dll/GetCurrentThread

DynamicLoader: kernel32.dll/SetEvent

DynamicLoader: kernel32.dll/WaitForSingleObject

DynamicLoader: kernel32.dll/SetThreadContext

DynamicLoader: kernel32.dll/GetFileSize

DynamicLoader: kernel32.dll/CreateFileA

DynamicLoader: kernel32.dll/QueryPerformanceCounter

DynamicLoader: kernel32.dll/GetThreadContext

DynamicLoader: USER32.dll/SetMenu

DynamicLoader: USER32.dll/SetForegroundWindow

DynamicLoader: USER32.dll/GetClientRect

DynamicLoader: USER32.dll/PostMessageW

DynamicLoader: USER32.dll/CreateWindowExW

DynamicLoader: USER32.dll/GetClassInfoExW

DynamicLoader: USER32.dll/GetClassInfoW

DynamicLoader: USER32.dll/RegisterClassW

DynamicLoader: USER32.dll/AdjustWindowRectEx

DynamicLoader: USER32.dll/CopyRect

DynamicLoader: USER32.dll/DefWindowProcW

DynamicLoader: USER32.dll/CallWindowProcW

DynamicLoader: USER32.dll/GetMenu

DynamicLoader: USER32.dll/ExitWindowsEx

DynamicLoader: USER32.dll/mouse_event

DynamicLoader: USER32.dll/ReleaseDC

DynamicLoader: USER32.dll/SetCursorPos

DynamicLoader: USER32.dll/SystemParametersInfoA

DynamicLoader: USER32.dll/IsIconic

DynamicLoader: USER32.dll/GetWindowPlacement

DynamicLoader: USER32.dll/GrayStringW

DynamicLoader: USER32.dll/DrawTextExW

DynamicLoader: USER32.dll/DrawTextW

DynamicLoader: USER32.dll/TabbedTextOutW

DynamicLoader: USER32.dll/SetWindowsHookExW

DynamicLoader: USER32.dll/CallNextHookEx

DynamicLoader: USER32.dll/DispatchMessageW

DynamicLoader: USER32.dll/GetKeyState

DynamicLoader: USER32.dll/PeekMessageW

DynamicLoader: USER32.dll/ValidateRect

DynamicLoader: USER32.dll/LoadIconW

DynamicLoader: USER32.dll/MapWindowPoints

DynamicLoader: USER32.dll/GetMessagePos

DynamicLoader: USER32.dll/GetMessageTime

DynamicLoader: USER32.dll/DestroyWindow

DynamicLoader: USER32.dll/GetTopWindow

DynamicLoader: USER32.dll/GetDC

DynamicLoader: USER32.dll/keybd_event

DynamicLoader: USER32.dll/GetSubMenu

DynamicLoader: USER32.dll/WinHelpW

DynamicLoader: USER32.dll/GetMenuItemID

DynamicLoader: USER32.dll/GetMenuState

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/CharUpperW

DynamicLoader: USER32.dll/GetWindowTextW

DynamicLoader: USER32.dll/MessageBoxW

DynamicLoader: USER32.dll/EnableWindow

DynamicLoader: USER32.dll/IsWindowEnabled

DynamicLoader: USER32.dll/GetLastActivePopup

DynamicLoader: USER32.dll/GetWindowLongW

DynamicLoader: USER32.dll/GetParent

DynamicLoader: USER32.dll/RegisterWindowMessageW

DynamicLoader: USER32.dll/CheckMenuItem

DynamicLoader: USER32.dll/EnableMenuItem

DynamicLoader: USER32.dll/ModifyMenuW

DynamicLoader: USER32.dll/LoadBitmapW

DynamicLoader: USER32.dll/GetMenuCheckMarkDimensions

DynamicLoader: USER32.dll/SetMenuItemBitmaps

DynamicLoader: USER32.dll/PostQuitMessage

DynamicLoader: USER32.dll/DestroyMenu

DynamicLoader: USER32.dll/GetForegroundWindow

DynamicLoader: USER32.dll/RemovePropW

DynamicLoader: USER32.dll/GetPropW

DynamicLoader: USER32.dll/SetPropW

DynamicLoader: USER32.dll/GetClassLongW

DynamicLoader: USER32.dll/GetCapture

DynamicLoader: USER32.dll/SendMessageW

DynamicLoader: USER32.dll/GetWindowThreadProcessId

DynamicLoader: USER32.dll/UnhookWindowsHookEx

DynamicLoader: USER32.dll/GetSysColorBrush

DynamicLoader: USER32.dll/GetSysColor

DynamicLoader: USER32.dll/LoadCursorW

DynamicLoader: USER32.dll/SetWindowTextW

DynamicLoader: USER32.dll/PtInRect

DynamicLoader: USER32.dll/GetClassNameW

DynamicLoader: USER32.dll/GetWindowRect

DynamicLoader: USER32.dll/GetDlgCtrlID

DynamicLoader: USER32.dll/GetWindow

DynamicLoader: USER32.dll/ClientToScreen

DynamicLoader: USER32.dll/GetFocus

DynamicLoader: USER32.dll/GetDlgItem

DynamicLoader: USER32.dll/GetMenuItemCount

DynamicLoader: USER32.dll/IsWindow

DynamicLoader: USER32.dll/SetWindowLongW

DynamicLoader: USER32.dll/SetWindowPos

DynamicLoader: GDI32.dll/PtVisible

DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: Winsta.dll/WinStationFreeMemory

DynamicLoader: Winsta.dll/WinStationCloseServer

DynamicLoader: Winsta.dll/WinStationOpenServerW

DynamicLoader: Winsta.dll/WinStationFreeGAPMemory

DynamicLoader: Winsta.dll/WinStationGetAllProcesses

DynamicLoader: Winsta.dll/WinStationEnumerateProcesses

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages

DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages

DynamicLoader: kernel32.dll/LocaleNameToLCID

DynamicLoader: kernel32.dll/GetLocaleInfoEx

DynamicLoader: kernel32.dll/LCIDToLocaleName

DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName

DynamicLoader: fastprox.dll/DllGetClassObject

DynamicLoader: fastprox.dll/DllCanUnloadNow

DynamicLoader: kernel32.dll/RegOpenKeyExW

DynamicLoader: OLEAUT32.dll/

DynamicLoader: USERENV.dll/CreateEnvironmentBlock

DynamicLoader: sechost.dll/ConvertSidToStringSidW

DynamicLoader: SspiCli.dll/GetUserNameExW

DynamicLoader: USERENV.dll/DestroyEnvironmentBlock

DynamicLoader: ole32.dll/CoGetClassObject

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: ole32.dll/CoUnmarshalInterface

DynamicLoader: ole32.dll/StringFromIID

DynamicLoader: ole32.dll/CoGetPSClsid

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ole32.dll/CoReleaseMarshalData

DynamicLoader: ole32.dll/DcomChannelSetHResult

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: VSSAPI.DLL/CreateWriter

DynamicLoader: OLEAUT32.dll/

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ADVAPI32.dll/LookupAccountNameW

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: samcli.dll/NetLocalGroupGetMembers

DynamicLoader: SAMLIB.dll/SamConnect

DynamicLoader: RPCRT4.dll/NdrClientCall2

DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW

DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW

DynamicLoader: RPCRT4.dll/RpcStringFreeW

DynamicLoader: RPCRT4.dll/RpcBindingFree

DynamicLoader: SAMLIB.dll/SamOpenDomain

DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain

DynamicLoader: SAMLIB.dll/SamOpenAlias

DynamicLoader: SAMLIB.dll/SamFreeMemory

DynamicLoader: SAMLIB.dll/SamCloseHandle

DynamicLoader: SAMLIB.dll/SamGetMembersInAlias

DynamicLoader: netutils.dll/NetApiBufferFree

DynamicLoader: ole32.dll/CoCreateGuid

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ole32.dll/StringFromCLSID

DynamicLoader: OLEAUT32.dll/

DynamicLoader: ADVAPI32.dll/RegOpenKeyW

DynamicLoader: PROPSYS.dll/VariantToPropVariant

DynamicLoader: OLEAUT32.dll/

DynamicLoader: wbemcore.dll/Reinitialize

DynamicLoader: wbemsvc.dll/DllGetClassObject

DynamicLoader: wbemsvc.dll/DllCanUnloadNow

DynamicLoader: authZ.dll/AuthzInitializeContextFromToken

DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2

DynamicLoader: authZ.dll/AuthzAccessCheck

DynamicLoader: authZ.dll/AuthzFreeAuditEvent

DynamicLoader: authZ.dll/AuthzFreeContext

DynamicLoader: authZ.dll/AuthzInitializeResourceManager

DynamicLoader: authZ.dll/AuthzFreeResourceManager

DynamicLoader: RPCRT4.dll/NdrClientCall2

DynamicLoader: RPCRT4.dll/RpcBindingCreateW

DynamicLoader: RPCRT4.dll/RpcBindingBind

DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status

DynamicLoader: RPCRT4.dll/RpcBindingFree

DynamicLoader: ADVAPI32.dll/EventRegister

DynamicLoader: ADVAPI32.dll/EventUnregister

DynamicLoader: ADVAPI32.dll/EventWrite

DynamicLoader: ADVAPI32.dll/EventActivityIdControl

DynamicLoader: ADVAPI32.dll/EventWriteTransfer

DynamicLoader: ADVAPI32.dll/EventEnabled

DynamicLoader: kernel32.dll/RegCloseKey

DynamicLoader: kernel32.dll/RegSetValueExW

DynamicLoader: kernel32.dll/RegOpenKeyExW

DynamicLoader: kernel32.dll/RegQueryValueExW

DynamicLoader: kernel32.dll/RegCloseKey

DynamicLoader: wmisvc.dll/IsImproperShutdownDetected

DynamicLoader: Wevtapi.dll/EvtRender

DynamicLoader: Wevtapi.dll/EvtNext

DynamicLoader: Wevtapi.dll/EvtClose

DynamicLoader: Wevtapi.dll/EvtQuery

DynamicLoader: Wevtapi.dll/EvtCreateRenderContext

DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW

DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW

DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW

DynamicLoader: RPCRT4.dll/RpcBindingSetOption

DynamicLoader: RPCRT4.dll/RpcStringFreeW

DynamicLoader: RPCRT4.dll/NdrClientCall2

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CreateStreamOnHGlobal

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: CRYPTSP.dll/CryptAcquireContextW

DynamicLoader: CRYPTSP.dll/CryptGenRandom

DynamicLoader: CRYPTSP.dll/CryptReleaseContext

DynamicLoader: KERNELBASE.dll/InitializeAcl

DynamicLoader: KERNELBASE.dll/AddAce

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: kernel32.dll/OpenProcessToken

DynamicLoader: KERNELBASE.dll/GetTokenInformation

DynamicLoader: KERNELBASE.dll/DuplicateTokenEx

DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges

DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid

DynamicLoader: KERNELBASE.dll/CheckTokenMembership

DynamicLoader: kernel32.dll/SetThreadToken

DynamicLoader: ole32.dll/CLSIDFromString

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: authZ.dll/AuthzInitializeContextFromToken

DynamicLoader: authZ.dll/AuthzInitializeResourceManager

DynamicLoader: authZ.dll/AuthzInitializeContextFromSid

DynamicLoader: authZ.dll/AuthzInitializeContextFromToken

DynamicLoader: authZ.dll/AuthzAccessCheck

DynamicLoader: authZ.dll/AuthzFreeContext

DynamicLoader: authZ.dll/AuthzFreeResourceManager

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: ole32.dll/CoGetClassObject

DynamicLoader: ole32.dll/CoGetCallContext

DynamicLoader: ole32.dll/CoRevertToSelf

DynamicLoader: SspiCli.dll/LogonUserExExW

DynamicLoader: ole32.dll/StringFromGUID2

DynamicLoader: ole32.dll/CoImpersonateClient

DynamicLoader: ole32.dll/CoSwitchCallContext

DynamicLoader: ole32.dll/CoCreateGuid

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: wbemcore.dll/Reinitialize

DynamicLoader: OLEAUT32.dll/

DynamicLoader: wbemcore.dll/Reinitialize

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: ole32.dll/CoUninitialize

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: ole32.dll/CLSIDFromOle1Class

DynamicLoader: CLBCatQ.DLL/GetCatalogObject

DynamicLoader: CLBCatQ.DLL/GetCatalogObject2

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: uxtheme.dll/ThemeInitApiHook

DynamicLoader: USER32.dll/IsProcessDPIAware

DynamicLoader: ole32.dll/CoGetClassObject

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: ole32.dll/CoUnmarshalInterface

DynamicLoader: ole32.dll/StringFromIID

DynamicLoader: ole32.dll/CoGetPSClsid

DynamicLoader: ole32.dll/CoTaskMemAlloc

DynamicLoader: ole32.dll/CoTaskMemFree

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ole32.dll/CoReleaseMarshalData

DynamicLoader: ole32.dll/DcomChannelSetHResult

DynamicLoader: wininet.dll/DllGetClassObject

DynamicLoader: wininet.dll/DllCanUnloadNow

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance

DynamicLoader: ole32.dll/CoGetMarshalSizeMax

DynamicLoader: ole32.dll/CoMarshalInterface

DynamicLoader: ole32.dll/CoUnmarshalInterface

DynamicLoader: ole32.dll/CoReleaseMarshalData

DynamicLoader: wininet.dll/DllGetClassObject

DynamicLoader: wininet.dll/DllCanUnloadNow

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoImpersonateClient

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoRevertToSelf

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetTokenInformation

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CopySid

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EqualSid

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthorityCount

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthority

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventRegister

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventUnregister

DynamicLoader: Secur32.dll/GetUserNameExA

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExA

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExA

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCloseKey

DynamicLoader: SHELL32.dll/SHGetKnownFolderPath

DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertSidToStringSidW

DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemFree

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueA

DynamicLoader: iertutil.dll/

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExA

DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemAlloc

DynamicLoader: WS2_32.dll/

DynamicLoader: winhttp.dll/WinHttpCreateProxyResolver

DynamicLoader: iertutil.dll/

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExW

DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegSetValueExW

DynamicLoader: WS2_32.dll/

DynamicLoader: WS2_32.dll/WSAIoctl

DynamicLoader: WS2_32.dll/

DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange

DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange

DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx

DynamicLoader: IPHLPAPI.DLL/GetIfEntry2

DynamicLoader: OLEAUT32.dll/

Resumed a thread in another process

thread_resumed: Process rundll32.exe with process ID 2848 resumed a thread in another process with the process ID 2848

thread_resumed: Process taskkill.exe with process ID 3784 resumed a thread in another process with the process ID 3784

thread_resumed: Process wmiprvse.exe with process ID 2464 resumed a thread in another process with the process ID 2464

thread_resumed: Process dllhost.exe with process ID 3688 resumed a thread in another process with the process ID 3688

Attempts to make a network connection via suspicious process

The binary likely contains encrypted or compressed data

section: {'name': '.data', 'raw_address': '0x00037000', 'virtual_address': '0x00039000', 'virtual_size': '0x0002d8ac', 'size_of_data': '0x00029200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.94'}

Checks for presence of debugger via IsDebuggerPresent

Starts servers listening on 0.0.0.0:49563

Yara detections observed in process dumps, payloads or dropped files

Hit: PID triggered the Yara rule 'vmdetect' with data '['VMware', '000C29']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

anomaly: Actual checksum does not match that reported in PE header

Modifies Windows System files (System32 / SysWOW64)

ModifiedFile: C:\Windows\System32\wbem\repository\MAPPING3.MAP

ModifiedFile: C:\Windows\System32\wbem\repository\WRITABLE.TST

ModifiedFile: C:\Windows\System32\wbem\repository\MAPPING1.MAP

ModifiedFile: C:\Windows\System32\wbem\repository\MAPPING2.MAP

ModifiedFile: C:\Windows\System32\wbem\repository\OBJECTS.DATA

ModifiedFile: C:\Windows\System32\wbem\repository\INDEX.BTR

Sniffs keystrokes

GetAsyncKeyState: Process: rundll32.exe(2848)

Uses suspicious command line tools or Windows utilities

command: TASKKILL /F /IM rundll32.exe

Screenshots

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
toiyeuvn.dongaruou.com [VT]	A 172.61.0.2 [VT]

Summary

C:\Users\user\AppData\Local\Temp\red_core.exe.dll
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.124.Manifest
C:\Windows\System32\msgsm64.acm
C:\Users\Public\Documents\desktop.ini
\Device\KsecDD
C:\Windows\System32\rundll32.exe
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\inf\hdaudio.inf
C:\Windows\System32\DriverStore\en-US\hdaudio.inf_loc
C:\Windows\inf\hdaudio.PNF
C:\Windows\Temp
C:\Users\user\AppData\Local\Temp
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\en-US\USER32.dll.mui
C:\Windows\System32\rpcss.dll
C:\Windows\Branding\Basebrd\basebrd.dll
C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui
C:
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
\??\Nsi

\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\TASKKILL.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\DeviceDesc
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Control Panel\International
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#elineoutwave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#elineoutwave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#elineouttopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Properties
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000_Classes
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000_CLASSES\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\AppID
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000_CLASSES\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2476309959-3960023044-3115063449-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2476309959-3960023044-3115063449-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Environment
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Volatile Environment
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Volatile Environment\0
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\System\Setup

DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\DeviceDesc
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39b8af29&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2476309959-3960023044-3115063449-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-2476309959-3960023044-3115063449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{1A75D166-18D6-4EAE-8F3C-4C068D2C41AB}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{21048AEC-BA91-44FB-973A-86DF303E863A}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{51175AF8-853A-4ABE-8682-2BCE64B21275}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{A9752F17-B892-4DB7-A272-7BA2EFAF64B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c39ee728-d419-4bd4-a3ef-eda059dbd935}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

red_core.exe.dll.#1
uxtheme.dll.ThemeInitApiHook
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
ntdll.dll.RtlGetVersion
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
rpcrt4.dll.RpcStringFreeW
cryptbase.dll.SystemFunction036
kernel32.dll.GlobalFlags
kernel32.dll.GetCurrentThreadId
kernel32.dll.GlobalAddAtomW
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersionExA
kernel32.dll.LoadLibraryA
kernel32.dll.GlobalDeleteAtom
kernel32.dll.GlobalFindAtomW
kernel32.dll.CompareStringA
kernel32.dll.GetDriveTypeA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.WriteConsoleW
kernel32.dll.GetConsoleOutputCP
kernel32.dll.WriteConsoleA
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.LCMapStringA
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetTickCount
kernel32.dll.lstrcmpW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetDateFormatA
kernel32.dll.GetTimeFormatA
kernel32.dll.LCMapStringW
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.GetTimeZoneInformation
kernel32.dll.IsValidCodePage
kernel32.dll.GetOEMCP
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetModuleFileNameA
kernel32.dll.VirtualFree
kernel32.dll.HeapDestroy
kernel32.dll.HeapCreate
kernel32.dll.ExitProcess
kernel32.dll.HeapSize
kernel32.dll.RaiseException
kernel32.dll.RtlUnwind
kernel32.dll.HeapReAlloc
kernel32.dll.GetCommandLineA
kernel32.dll.GetStartupInfoA
kernel32.dll.GetFileType
kernel32.dll.SetHandleCount
kernel32.dll.CreateThread
kernel32.dll.ExitThread
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.InterlockedIncrement
kernel32.dll.CompareStringW
kernel32.dll.FreeLibrary
kernel32.dll.InterlockedDecrement
kernel32.dll.GetModuleHandleW
kernel32.dll.TlsFree
kernel32.dll.DeleteCriticalSection
kernel32.dll.LocalReAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsAlloc
kernel32.dll.InitializeCriticalSection
kernel32.dll.GlobalHandle
kernel32.dll.GlobalReAlloc
kernel32.dll.EnterCriticalSection
kernel32.dll.TlsGetValue
kernel32.dll.LeaveCriticalSection
kernel32.dll.LocalAlloc
kernel32.dll.GetCurrentProcessId
kernel32.dll.lstrcmpA
kernel32.dll.GetFileTime
kernel32.dll.GetFileSizeEx
kernel32.dll.GetFileAttributesW
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetEndOfFile
kernel32.dll.UnlockFile
kernel32.dll.LockFile
kernel32.dll.FlushFileBuffers
kernel32.dll.SetFilePointer
kernel32.dll.LoadLibraryW
kernel32.dll.FindFirstFileW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FindNextFileW
kernel32.dll.FindClose
kernel32.dll.GlobalFree
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.FormatMessageW
kernel32.dll.LocalFree
kernel32.dll.SetLastError
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetLastError
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
kernel32.dll.GetProcessHeap
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetComputerNameA
kernel32.dll.GetPrivateProfileStringW
kernel32.dll.GetVolumeInformationW
kernel32.dll.DeleteFileW
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.LockResource
kernel32.dll.MoveFileW
kernel32.dll.GetTempPathW
kernel32.dll.lstrlenW
kernel32.dll.SizeofResource
kernel32.dll.CreateDirectoryW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.SetErrorMode
kernel32.dll.GetDriveTypeW
kernel32.dll.Sleep
kernel32.dll.lstrcpyA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.ResetEvent
kernel32.dll.DuplicateHandle
kernel32.dll.CreatePipe
kernel32.dll.CreateEventW
kernel32.dll.SetStdHandle
kernel32.dll.GetStdHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.CreateProcessW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.lstrcpyW
kernel32.dll.ResumeThread
kernel32.dll.WriteProcessMemory
kernel32.dll.CloseHandle
kernel32.dll.WinExec
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.WTSGetActiveConsoleSessionId
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualAlloc
kernel32.dll.WritePrivateProfileStringW
kernel32.dll.CreateFileW
kernel32.dll.ReadFile
kernel32.dll.TerminateProcess
kernel32.dll.GetSystemDirectoryW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.OpenProcess
kernel32.dll.WriteFile
kernel32.dll.GetCurrentThread
kernel32.dll.SetEvent
kernel32.dll.WaitForSingleObject
kernel32.dll.SetThreadContext
kernel32.dll.GetFileSize
kernel32.dll.CreateFileA
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetThreadContext
user32.dll.SetMenu
user32.dll.SetForegroundWindow
user32.dll.GetClientRect
user32.dll.PostMessageW
user32.dll.CreateWindowExW
user32.dll.GetClassInfoExW
user32.dll.GetClassInfoW
user32.dll.RegisterClassW
user32.dll.AdjustWindowRectEx
user32.dll.CopyRect
user32.dll.DefWindowProcW
user32.dll.CallWindowProcW
user32.dll.GetMenu
user32.dll.ExitWindowsEx
user32.dll.mouse_event
user32.dll.ReleaseDC
user32.dll.SetCursorPos
user32.dll.SystemParametersInfoA
user32.dll.IsIconic
user32.dll.GetWindowPlacement
user32.dll.GrayStringW
user32.dll.DrawTextExW
user32.dll.DrawTextW
user32.dll.TabbedTextOutW
user32.dll.SetWindowsHookExW
user32.dll.CallNextHookEx
user32.dll.DispatchMessageW
user32.dll.GetKeyState
user32.dll.PeekMessageW
user32.dll.ValidateRect
user32.dll.LoadIconW
user32.dll.MapWindowPoints
user32.dll.GetMessagePos
user32.dll.GetMessageTime
user32.dll.DestroyWindow
user32.dll.GetTopWindow
user32.dll.GetDC
user32.dll.keybd_event
user32.dll.GetSubMenu
user32.dll.WinHelpW
user32.dll.GetMenuItemID
user32.dll.GetMenuState
user32.dll.GetSystemMetrics
user32.dll.CharUpperW
user32.dll.GetWindowTextW
user32.dll.MessageBoxW
user32.dll.EnableWindow
user32.dll.IsWindowEnabled
user32.dll.GetLastActivePopup
user32.dll.GetWindowLongW
user32.dll.GetParent
user32.dll.RegisterWindowMessageW
user32.dll.CheckMenuItem
user32.dll.EnableMenuItem
user32.dll.ModifyMenuW
user32.dll.LoadBitmapW
user32.dll.GetMenuCheckMarkDimensions
user32.dll.SetMenuItemBitmaps
user32.dll.PostQuitMessage
user32.dll.DestroyMenu
user32.dll.GetForegroundWindow
user32.dll.RemovePropW
user32.dll.GetPropW
user32.dll.SetPropW
user32.dll.GetClassLongW
user32.dll.GetCapture
user32.dll.SendMessageW
user32.dll.GetWindowThreadProcessId
user32.dll.UnhookWindowsHookEx
user32.dll.GetSysColorBrush
user32.dll.GetSysColor
user32.dll.LoadCursorW
user32.dll.SetWindowTextW
user32.dll.PtInRect
user32.dll.GetClassNameW
user32.dll.GetWindowRect
user32.dll.GetDlgCtrlID
user32.dll.GetWindow
user32.dll.ClientToScreen
user32.dll.GetFocus
user32.dll.GetDlgItem
user32.dll.GetMenuItemCount
user32.dll.IsWindow
user32.dll.SetWindowLongW
user32.dll.SetWindowPos
gdi32.dll.PtVisible
rpcrt4.dll.RpcAsyncInitializeHandle
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
winsta.dll.WinStationFreeMemory
winsta.dll.WinStationCloseServer
winsta.dll.WinStationOpenServerW
winsta.dll.WinStationFreeGAPMemory
winsta.dll.WinStationGetAllProcesses
winsta.dll.WinStationEnumerateProcesses
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
kernel32.dll.RegOpenKeyExW
oleaut32.dll.#500
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
oleaut32.dll.#4
oleaut32.dll.#7
advapi32.dll.RegOpenKeyW
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.CoRevertToSelf
sspicli.dll.LogonUserExExW
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoSwitchCallContext
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
wininet.dll.DllGetClassObject
wininet.dll.DllCanUnloadNow
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
api-ms-win-downlevel-ole32-l1-1-0.dll.CoImpersonateClient
api-ms-win-downlevel-ole32-l1-1-0.dll.CoRevertToSelf
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetTokenInformation
api-ms-win-downlevel-advapi32-l1-1-0.dll.CopySid
api-ms-win-downlevel-advapi32-l1-1-0.dll.EqualSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthorityCount
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthority
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventRegister
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventUnregister
secur32.dll.GetUserNameExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCloseKey
shell32.dll.SHGetKnownFolderPath
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertSidToStringSidW
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueA
iertutil.dll.#701
iertutil.dll.#703
iertutil.dll.#702
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExA
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemAlloc
ws2_32.dll.#115
ws2_32.dll.#111
iertutil.dll.#791
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegSetValueExW

TASKKILL /F /IM rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

{728264DE-3701-419B-84A4-2AD86B0C43A3}

No results

Sorry! No behavior.

Sorry! No tracee.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Sections

Overlay

Resources

Imports

KERNEL32

USER32

ADVAPI32

SHELL32

ole32

OLEAUT32

SHLWAPI

WININET

WTSAPI32

USERENV

wevtapi

WS2_32

IPHLPAPI

RPCRT4

Exports

Usage

Processing ( 4.73 seconds )

Signatures ( 0.07 seconds )

Reporting ( 3.09 seconds )

Signatures

Screenshots

Session Playback

Hosts

DNS

Summary

HTTP Requests

SMTP traffic

IRC traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP