Status: Malicious
Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) | MalScore |
|---|---|---|---|---|---|---|---|
| FILE | dll | 2025-12-09 15:14:02 | 2025-12-09 15:17:25 | 203 seconds | Show Options | Show Analysis Log | 8.0 |
vnc_port=5901
2025-12-06 09:51:40,421 [root] INFO: Date set to: 20251209T07:11:46, timeout set to: 180
2025-12-09 07:11:46,015 [root] DEBUG: Starting analyzer from: C:\tmpug94sp1v
2025-12-09 07:11:46,015 [root] DEBUG: Storing results at: C:\vZreiI
2025-12-09 07:11:46,015 [root] DEBUG: Pipe server name: \\.\PIPE\xFlXoj
2025-12-09 07:11:46,015 [root] DEBUG: Python path: C:\Python38
2025-12-09 07:11:46,015 [root] INFO: analysis running as an admin
2025-12-09 07:11:46,015 [root] INFO: analysis package specified: "dll"
2025-12-09 07:11:46,015 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2025-12-09 07:11:46,015 [root] DEBUG: imported analysis package "dll"
2025-12-09 07:11:46,015 [root] DEBUG: initializing analysis package "dll"...
2025-12-09 07:11:46,015 [lib.common.common] INFO: wrapping
2025-12-09 07:11:46,015 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:11:46,015 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\red_core.exe
2025-12-09 07:11:46,015 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2025-12-09 07:11:46,015 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2025-12-09 07:11:46,015 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2025-12-09 07:11:46,015 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2025-12-09 07:11:46,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-09 07:11:46,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-09 07:11:46,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-09 07:11:46,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-09 07:11:46,078 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-09 07:11:46,171 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-12-09 07:11:46,171 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-12-09 07:11:46,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-09 07:11:46,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-09 07:11:46,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-09 07:11:46,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-09 07:11:46,187 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-09 07:11:46,187 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-09 07:11:46,187 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-09 07:11:46,187 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-09 07:11:46,187 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-09 07:11:46,187 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-09 07:11:46,187 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-09 07:11:46,187 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-09 07:11:46,187 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-09 07:11:46,187 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-09 07:11:46,187 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-09 07:11:46,187 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-09 07:11:46,187 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-09 07:11:46,187 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-09 07:11:46,187 [modules.auxiliary.disguise] INFO: Disguising GUID to 564b56dd-e9d9-4da3-aecb-f656626eec13
2025-12-09 07:11:46,187 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-09 07:11:46,187 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-09 07:11:46,187 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-09 07:11:46,187 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-09 07:11:46,187 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-09 07:11:46,203 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-09 07:11:46,203 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-09 07:11:46,203 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-09 07:11:46,203 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-09 07:11:46,203 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-09 07:11:46,203 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-09 07:11:46,203 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-09 07:11:46,203 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-09 07:11:46,203 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-09 07:11:46,203 [root] DEBUG: attempting to configure 'Human' from data
2025-12-09 07:11:46,203 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-09 07:11:46,203 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-09 07:11:46,203 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-09 07:11:46,203 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-09 07:11:46,203 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-09 07:11:46,203 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-09 07:11:46,203 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-09 07:11:46,203 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-09 07:11:46,203 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-09 07:11:46,203 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-09 07:11:46,203 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-09 07:11:46,203 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-09 07:11:46,203 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-09 07:11:46,203 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-09 07:11:46,203 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-09 07:11:46,203 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-09 07:11:46,203 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-09 07:11:46,281 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-09 07:11:46,328 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-09 07:11:46,343 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-09 07:11:46,343 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-09 07:11:46,343 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-09 07:11:46,343 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-09 07:11:46,343 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-09 07:11:46,343 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 448
2025-12-09 07:11:46,343 [lib.api.process] INFO: Monitor config for <Process 448 lsass.exe>: C:\tmpug94sp1v\dll\448.ini
2025-12-09 07:11:46,343 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-09 07:11:46,343 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:11:46,375 [root] DEBUG: Loader: Injecting process 448 with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:11:46,390 [root] DEBUG: 448: Python path set to 'C:\Python38'.
2025-12-09 07:11:46,390 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:46,390 [root] DEBUG: 448: TLS secret dump mode enabled.
2025-12-09 07:11:46,390 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-09 07:11:46,390 [root] DEBUG: 448: Monitor initialised: 64-bit capemon loaded in process 448 at 0x000007FEF30B0000, thread 412, image base 0x00000000FF3B0000, stack from 0x00000000018A4000-0x00000000018B0000
2025-12-09 07:11:46,390 [root] DEBUG: 448: Commandline: C:\Windows\system32\lsass.exe
2025-12-09 07:11:46,406 [root] DEBUG: 448: Hooked 5 out of 5 functions
2025-12-09 07:11:46,406 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:46,406 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:11:46,406 [lib.api.process] INFO: Injected into 64-bit <Process 448 lsass.exe>
2025-12-09 07:11:46,406 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-09 07:11:46,406 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-09 07:11:46,406 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-09 07:11:46,406 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-09 07:11:46,406 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-09 07:11:46,406 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-09 07:11:46,406 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-09 07:11:46,406 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-09 07:11:46,406 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-09 07:11:46,406 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-09 07:11:46,406 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-09 07:11:46,437 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-09 07:11:46,437 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-09 07:11:46,468 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-09 07:11:46,531 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-09 07:11:46,531 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-09 07:11:46,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-09 07:11:46,593 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-09 07:11:46,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-09 07:11:46,625 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-09 07:11:46,656 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-09 07:11:46,671 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-09 07:11:46,687 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-09 07:11:46,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-09 07:11:46,734 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-09 07:11:46,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-09 07:11:46,765 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-09 07:11:46,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-09 07:11:46,796 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-09 07:11:46,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-09 07:11:46,812 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-09 07:11:46,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-09 07:11:46,843 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-09 07:11:46,859 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-09 07:11:46,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-09 07:11:46,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-09 07:11:46,906 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-09 07:11:46,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-09 07:11:46,937 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-09 07:11:46,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:11:46,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:11:46,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-09 07:11:47,000 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-09 07:11:47,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-09 07:11:47,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-09 07:11:47,031 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-09 07:11:47,046 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-09 07:11:47,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-09 07:11:47,078 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-09 07:11:47,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-09 07:11:47,109 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-09 07:11:47,125 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-09 07:11:47,140 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-09 07:11:47,156 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-09 07:11:47,171 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-09 07:11:47,187 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-09 07:11:47,203 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-09 07:11:47,218 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-09 07:11:47,234 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-09 07:11:47,249 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-09 07:11:47,265 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-09 07:11:47,281 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-09 07:11:47,281 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-09 07:11:47,312 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-09 07:11:47,328 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-09 07:11:47,343 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-09 07:11:47,359 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-09 07:11:47,375 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-09 07:11:47,390 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-09 07:11:47,406 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-09 07:11:47,421 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-09 07:11:47,437 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-09 07:11:51,515 [root] INFO: Restarting WMI Service
2025-12-09 07:11:53,546 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2025-12-09 07:11:53,546 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2025-12-09 07:11:53,546 [lib.common.common] INFO: Submitted file is missing extension, adding .dll
2025-12-09 07:11:53,546 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:11:53,546 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1" with pid 2392
2025-12-09 07:11:53,546 [lib.api.process] INFO: Monitor config for <Process 2392 rundll32.exe>: C:\tmpug94sp1v\dll\2392.ini
2025-12-09 07:11:53,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpug94sp1v\dll\secKvpN.dll, loader C:\tmpug94sp1v\bin\ewYHpDS.exe
2025-12-09 07:11:53,562 [root] DEBUG: Loader: Injecting process 2392 (thread 2264) with C:\tmpug94sp1v\dll\secKvpN.dll.
2025-12-09 07:11:53,562 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:11:53,562 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\secKvpN.dll.
2025-12-09 07:11:53,562 [lib.api.process] INFO: Injected into 32-bit <Process 2392 rundll32.exe>
2025-12-09 07:11:55,562 [lib.api.process] INFO: Successfully resumed <Process 2392 rundll32.exe>
2025-12-09 07:11:55,593 [root] DEBUG: 2392: Python path set to 'C:\Python38'.
2025-12-09 07:11:55,593 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:55,593 [root] DEBUG: 2392: Dropped file limit defaulting to 100.
2025-12-09 07:11:55,593 [root] DEBUG: 2392: YaraInit: Compiled 41 rule files
2025-12-09 07:11:55,593 [root] DEBUG: 2392: YaraInit: Compiled rules saved to file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:11:55,593 [root] DEBUG: 2392: YaraScan: Scanning 0x00D70000, size 0xd260
2025-12-09 07:11:55,593 [root] DEBUG: 2392: Monitor initialised: 32-bit capemon loaded in process 2392 at 0x74260000, thread 2264, image base 0xd70000, stack from 0x144000-0x150000
2025-12-09 07:11:55,593 [root] DEBUG: 2392: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\red_core.exe.dll",#1
2025-12-09 07:11:55,593 [root] DEBUG: 2392: GetAddressByYara: ModuleBase 0x77920000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:55,593 [root] DEBUG: 2392: hook_api: Warning - CreateProcessA export address 0x77391072 differs from GetProcAddress -> 0x74602437 (AcLayers.DLL::0x12437)
2025-12-09 07:11:55,593 [root] DEBUG: 2392: hook_api: Warning - CreateProcessW export address 0x7739103D differs from GetProcAddress -> 0x746025AB (AcLayers.DLL::0x125ab)
2025-12-09 07:11:55,593 [root] DEBUG: 2392: hook_api: Warning - WinExec export address 0x77413301 differs from GetProcAddress -> 0x7460271F (AcLayers.DLL::0x1271f)
2025-12-09 07:11:55,593 [root] DEBUG: 2392: hook_api: Warning - CreateRemoteThreadEx export address 0x7744A337 differs from GetProcAddress -> 0x75A8403A (KERNELBASE.dll::0x1403a)
2025-12-09 07:11:55,593 [root] DEBUG: 2392: hook_api: Warning - UpdateProcThreadAttribute export address 0x7744ABB7 differs from GetProcAddress -> 0x75A7FA26 (KERNELBASE.dll::0xfa26)
2025-12-09 07:11:55,609 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:55,609 [root] DEBUG: 2392: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:55,609 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:55,609 [root] DEBUG: 2392: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:55,609 [root] DEBUG: 2392: Hooked 611 out of 613 functions
2025-12-09 07:11:55,609 [root] DEBUG: 2392: WoW64 detected: 64-bit ntdll base: 0x77760000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x777cb510, Wow64PrepareForException: 0x0
2025-12-09 07:11:55,609 [root] DEBUG: 2392: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1d0000
2025-12-09 07:11:55,609 [root] INFO: Loaded monitor into process with pid 2392
2025-12-09 07:11:55,609 [root] DEBUG: 2392: caller_dispatch: Added region at 0x00D70000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00D715D3, thread 2264).
2025-12-09 07:11:55,609 [root] DEBUG: 2392: YaraScan: Scanning 0x00D70000, size 0xd260
2025-12-09 07:11:55,609 [root] DEBUG: 2392: ProcessImageBase: Main module image at 0x00D70000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:11:55,625 [root] DEBUG: 2392: Target DLL loaded at 0x74180000: C:\Users\user\AppData\Local\Temp\red_core.exe (0x6c000 bytes).
2025-12-09 07:11:55,625 [root] DEBUG: 2392: YaraScan: Scanning 0x74180000, size 0x6a272
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x752B0000: C:\Windows\syswow64\WININET (0x437000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x764F0000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x76070000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x76060000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x765C0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x75140000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x761E0000: C:\Windows\syswow64\iertutil (0x238000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x752A0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:11:55,640 [root] DEBUG: 2392: DLL loaded at 0x74550000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: DLL loaded at 0x74210000: C:\Windows\system32\wevtapi (0x42000 bytes).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: DLL loaded at 0x73BE0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: DLL loaded at 0x73BD0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: caller_dispatch: Added region at 0x74180000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x7419D6B1, thread 2264).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: caller_dispatch: Scanning calling region at 0x74180000...
2025-12-09 07:11:55,656 [root] DEBUG: 2392: DLL loaded at 0x74200000: C:\Windows\SysWOW64\Secur32 (0x8000 bytes).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: DLL loaded at 0x741F0000: C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:11:55,656 [root] DEBUG: 2392: DLL loaded at 0x765D0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:11:55,671 [root] DEBUG: 2392: DLL loaded at 0x74120000: C:\Windows\system32\winhttp (0x58000 bytes).
2025-12-09 07:11:55,671 [root] DEBUG: 2392: DLL loaded at 0x740D0000: C:\Windows\system32\webio (0x50000 bytes).
2025-12-09 07:11:55,671 [root] DEBUG: 2392: DLL loaded at 0x74170000: C:\Windows\system32\NLAapi (0x10000 bytes).
2025-12-09 07:11:55,671 [root] DEBUG: 2392: DLL loaded at 0x74160000: C:\Windows\system32\napinsp (0x10000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2392: DLL loaded at 0x74140000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2025-12-09 07:11:55,687 [root] DEBUG: 2392: DLL loaded at 0x73390000: C:\Windows\System32\mswsock (0x3c000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2392: DLL loaded at 0x740F0000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2392: DLL loaded at 0x740E0000: C:\Windows\System32\winrnr (0x8000 bytes).
2025-12-09 07:11:55,703 [root] DEBUG: 2392: DLL loaded at 0x740A0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2392: DLL loaded at 0x74090000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2392: DLL loaded at 0x73BA0000: C:\Windows\SysWOW64\dhcpcsvc (0x12000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2392: DLL loaded at 0x74AC0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2025-12-09 07:11:55,718 [root] DEBUG: 2392: DLL loaded at 0x73370000: C:\Windows\System32\wship6 (0x6000 bytes).
2025-12-09 07:11:55,734 [root] DEBUG: 2392: DLL loaded at 0x74070000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes).
2025-12-09 07:11:56,718 [root] DEBUG: 2392: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate
2025-12-09 07:11:56,718 [root] DEBUG: 2392: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate
2025-12-09 07:11:56,718 [root] DEBUG: 2392: DLL loaded at 0x750A0000: C:\Windows\syswow64\COMDLG32 (0x7b000 bytes).
2025-12-09 07:11:56,734 [root] DEBUG: 2392: DLL loaded at 0x73DD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2025-12-09 07:11:56,734 [root] DEBUG: 2392: DLL loaded at 0x73D90000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2025-12-09 07:11:56,734 [root] DEBUG: 2392: ProtectionHandler: Adding region at 0x10001000 to tracked regions.
2025-12-09 07:11:56,734 [root] DEBUG: 2392: DumpPEsInRange: Scanning range 0x10000000 - 0x1004C200.
2025-12-09 07:11:56,734 [root] DEBUG: 2392: DLL loaded at 0x756F0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2025-12-09 07:11:56,750 [root] DEBUG: 2392: ScanForDisguisedPE: PE image located at: 0x10000000
2025-12-09 07:11:56,750 [root] DEBUG: 2392: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-12-09 07:11:56,750 [root] DEBUG: 2392: DumpProcess: Instantiating PeParser with address: 0x10000000.
2025-12-09 07:11:56,750 [root] DEBUG: 2392: DumpProcess: Module entry point VA is 0x0001C50E.
2025-12-09 07:11:56,750 [root] DEBUG: 2392: DLL loaded at 0x73D10000: C:\Windows\SysWOW64\FirewallAPI (0x76000 bytes).
2025-12-09 07:11:56,750 [root] DEBUG: 2392: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x1004D000, section 5
2025-12-09 07:11:56,750 [lib.common.results] INFO: Uploading file C:\vZreiI\CAPE\2392_307505651692122025 to CAPE\121be15f21b26a0d4abd507a6c402cf1e0e00f0b13c23497f563a1572a265bc9; Size is 279040; Max size: 100000000
2025-12-09 07:11:56,765 [root] DEBUG: 2392: DumpProcess: Module image dump success - dump size 0x44200.
2025-12-09 07:11:56,765 [root] DEBUG: 2392: ScanForDisguisedPE: No PE image located in range 0x10001000-0x1004C200.
2025-12-09 07:11:56,765 [root] DEBUG: 2392: DumpRegion: Dumped PE image(s) from base address 0x10000000, size 315392 bytes.
2025-12-09 07:11:56,765 [root] DEBUG: 2392: ProcessTrackedRegion: Dumped region at 0x10000000.
2025-12-09 07:11:56,765 [root] DEBUG: 2392: YaraScan: Scanning 0x10000000, size 0x4c200
2025-12-09 07:11:56,781 [root] DEBUG: 2392: DLL loaded at 0x73D00000: C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2025-12-09 07:11:56,781 [root] DEBUG: 2392: DLL loaded at 0x73380000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2025-12-09 07:11:56,812 [root] DEBUG: 2392: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:11:56,843 [root] DEBUG: 2392: CreateProcessHandler: Injection info set for new process 1856: C:\Windows\SysWOW64\TASKKILL.exe, ImageBase: 0x00F20000
2025-12-09 07:11:56,843 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 1856
2025-12-09 07:11:56,843 [lib.api.process] INFO: Monitor config for <Process 1856 taskkill.exe>: C:\tmpug94sp1v\dll\1856.ini
2025-12-09 07:11:56,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpug94sp1v\dll\secKvpN.dll, loader C:\tmpug94sp1v\bin\ewYHpDS.exe
2025-12-09 07:11:56,859 [root] DEBUG: Loader: Injecting process 1856 (thread 1964) with C:\tmpug94sp1v\dll\secKvpN.dll.
2025-12-09 07:11:56,859 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:11:56,859 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\secKvpN.dll.
2025-12-09 07:11:56,859 [lib.api.process] INFO: Injected into 32-bit <Process 1856 taskkill.exe>
2025-12-09 07:11:56,875 [root] INFO: Announced 32-bit process name: taskkill.exe pid: 1856
2025-12-09 07:11:56,875 [lib.api.process] INFO: Monitor config for <Process 1856 taskkill.exe>: C:\tmpug94sp1v\dll\1856.ini
2025-12-09 07:11:56,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpug94sp1v\dll\secKvpN.dll, loader C:\tmpug94sp1v\bin\ewYHpDS.exe
2025-12-09 07:11:56,895 [root] DEBUG: Loader: Injecting process 1856 (thread 1964) with C:\tmpug94sp1v\dll\secKvpN.dll.
2025-12-09 07:11:56,895 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:11:56,895 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\secKvpN.dll.
2025-12-09 07:11:56,896 [lib.api.process] INFO: Injected into 32-bit <Process 1856 taskkill.exe>
2025-12-09 07:11:56,915 [root] DEBUG: 1856: Python path set to 'C:\Python38'.
2025-12-09 07:11:56,915 [root] DEBUG: 1856: Dropped file limit defaulting to 100.
2025-12-09 07:11:56,915 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:56,915 [root] DEBUG: 1856: YaraInit: Compiled rules loaded from existing file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:11:56,915 [root] DEBUG: 1856: YaraScan: Scanning 0x00F20000, size 0x15b2c
2025-12-09 07:11:56,922 [root] DEBUG: 1856: Monitor initialised: 32-bit capemon loaded in process 1856 at 0x74260000, thread 1964, image base 0xf20000, stack from 0x206000-0x210000
2025-12-09 07:11:56,922 [root] DEBUG: 1856: Commandline: TASKKILL /F /IM rundll32.exe
2025-12-09 07:11:56,922 [root] DEBUG: 1856: GetAddressByYara: ModuleBase 0x77920000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:56,922 [root] DEBUG: 1856: hook_api: Warning - CreateRemoteThreadEx export address 0x7744A337 differs from GetProcAddress -> 0x75A8403A (KERNELBASE.dll::0x1403a)
2025-12-09 07:11:56,922 [root] DEBUG: 1856: hook_api: Warning - UpdateProcThreadAttribute export address 0x7744ABB7 differs from GetProcAddress -> 0x75A7FA26 (KERNELBASE.dll::0xfa26)
2025-12-09 07:11:56,930 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:11:56,930 [root] DEBUG: 1856: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:11:56,930 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:11:56,930 [root] DEBUG: 1856: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:11:56,930 [root] DEBUG: 1856: hook_api: Warning - NetUserGetInfo export address 0x73D3528E differs from GetProcAddress -> 0x73CD1BE2 (SAMCLI.DLL::0x1be2)
2025-12-09 07:11:56,930 [root] DEBUG: 1856: hook_api: Warning - NetGetJoinInformation export address 0x73D34AD2 differs from GetProcAddress -> 0x73D12C3F (wkscli.dll::0x2c3f)
2025-12-09 07:11:56,930 [root] DEBUG: 1856: hook_api: Warning - NetUserGetLocalGroups export address 0x73D352A4 differs from GetProcAddress -> 0x73CD28AA (SAMCLI.DLL::0x28aa)
2025-12-09 07:11:56,930 [root] DEBUG: 1856: hook_api: Warning - DsEnumerateDomainTrustsW export address 0x73D33C9E differs from GetProcAddress -> 0x739AB202 (LOGONCLI.DLL::0xb202)
2025-12-09 07:11:56,930 [root] DEBUG: 1856: Hooked 611 out of 613 functions
2025-12-09 07:11:56,930 [root] DEBUG: 1856: WoW64 detected: 64-bit ntdll base: 0x77760000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x777cb510, Wow64PrepareForException: 0x0
2025-12-09 07:11:56,930 [root] DEBUG: 1856: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2025-12-09 07:11:56,938 [root] INFO: Loaded monitor into process with pid 1856
2025-12-09 07:11:56,938 [root] DEBUG: 1856: caller_dispatch: Added region at 0x00F20000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00F25CCC, thread 1964).
2025-12-09 07:11:56,938 [root] DEBUG: 1856: YaraScan: Scanning 0x00F20000, size 0x15b2c
2025-12-09 07:11:56,938 [root] DEBUG: 1856: ProcessImageBase: Main module image at 0x00F20000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:11:56,938 [lib.api.process] INFO: Monitor config for <Process 556 svchost.exe>: C:\tmpug94sp1v\dll\556.ini
2025-12-09 07:11:56,946 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:11:56,946 [root] DEBUG: Loader: Injecting process 556 with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:11:56,946 [root] DEBUG: 556: Python path set to 'C:\Python38'.
2025-12-09 07:11:56,946 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:56,946 [root] DEBUG: 556: Dropped file limit defaulting to 100.
2025-12-09 07:11:56,946 [root] DEBUG: 556: parent_has_path: unable to get path for parent process 432
2025-12-09 07:11:56,954 [root] DEBUG: 556: YaraInit: Compiled rules loaded from existing file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:11:56,954 [root] DEBUG: 556: YaraScan: Scanning 0x00000000FF1E0000, size 0xa052
2025-12-09 07:11:56,954 [root] DEBUG: 556: Monitor initialised: 64-bit capemon loaded in process 556 at 0x000007FEF30B0000, thread 2872, image base 0x00000000FF1E0000, stack from 0x00000000014C6000-0x00000000014D0000
2025-12-09 07:11:56,954 [root] DEBUG: 556: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch
2025-12-09 07:11:56,954 [root] DEBUG: 556: GetAddressByYara: ModuleBase 0x0000000077760000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:56,969 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:11:56,969 [root] DEBUG: 556: set_hooks: Unable to hook LockResource
2025-12-09 07:11:56,969 [root] DEBUG: 556: Hooked 605 out of 606 functions
2025-12-09 07:11:56,969 [root] INFO: Loaded monitor into process with pid 556
2025-12-09 07:11:56,977 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:56,977 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:11:56,977 [lib.api.process] INFO: Injected into 64-bit <Process 556 svchost.exe>
2025-12-09 07:11:57,524 [root] DEBUG: 2392: api-cap: GetAsyncKeyState hook disabled due to count: 5000
2025-12-09 07:11:57,547 [modules.auxiliary.human] INFO: Found button "ok", clicking it
2025-12-09 07:11:58,383 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 744, handle 0x3c8: C:\Windows\System32\audiodg.exe
2025-12-09 07:11:58,555 [root] INFO: Process with pid 2392 has terminated
2025-12-09 07:11:58,555 [root] DEBUG: 2392: NtTerminateProcess hook: Attempting to dump process 2392
2025-12-09 07:11:58,555 [root] DEBUG: 2392: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:11:58,977 [lib.api.process] INFO: Monitor config for <Process 2384 svchost.exe>: C:\tmpug94sp1v\dll\2384.ini
2025-12-09 07:11:58,977 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:11:58,977 [root] DEBUG: Loader: Injecting process 2384 with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:11:58,977 [root] DEBUG: 2384: Python path set to 'C:\Python38'.
2025-12-09 07:11:58,977 [root] INFO: Disabling sleep skipping.
2025-12-09 07:11:58,977 [root] DEBUG: 2384: Dropped file limit defaulting to 100.
2025-12-09 07:11:58,977 [root] DEBUG: 2384: parent_has_path: unable to get path for parent process 432
2025-12-09 07:11:58,977 [root] DEBUG: 2384: YaraInit: Compiled rules loaded from existing file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:11:58,977 [root] DEBUG: 2384: YaraScan: Scanning 0x00000000FF1E0000, size 0xa052
2025-12-09 07:11:58,977 [root] DEBUG: 2384: Monitor initialised: 64-bit capemon loaded in process 2384 at 0x000007FEF30B0000, thread 2084, image base 0x00000000FF1E0000, stack from 0x00000000011B6000-0x00000000011C0000
2025-12-09 07:11:58,977 [root] DEBUG: 2384: Commandline: C:\Windows\system32\svchost.exe -k netsvcs
2025-12-09 07:11:58,993 [root] DEBUG: 2384: GetAddressByYara: ModuleBase 0x0000000077760000 FunctionName LdrpCallInitRoutine
2025-12-09 07:11:58,993 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:11:58,993 [root] DEBUG: 2384: set_hooks: Unable to hook LockResource
2025-12-09 07:11:59,008 [root] DEBUG: 2384: Hooked 605 out of 606 functions
2025-12-09 07:11:59,008 [root] INFO: Loaded monitor into process with pid 2384
2025-12-09 07:11:59,008 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:11:59,008 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:11:59,008 [lib.api.process] INFO: Injected into 64-bit <Process 2384 svchost.exe>
2025-12-09 07:12:01,008 [root] DEBUG: 1856: DLL loaded at 0x756F0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2025-12-09 07:12:01,008 [root] DEBUG: 1856: DLL loaded at 0x74670000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1856: DLL loaded at 0x74600000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1856: DLL loaded at 0x745D0000: C:\Windows\system32\Winsta (0x29000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1856: DLL loaded at 0x73140000: C:\Windows\SysWOW64\CRYPTSP (0x17000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1856: DLL loaded at 0x73100000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2025-12-09 07:12:01,024 [root] DEBUG: 1856: DLL loaded at 0x745C0000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2025-12-09 07:12:01,040 [root] DEBUG: 2384: DLL loaded at 0x000007FEF8770000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2025-12-09 07:12:01,055 [root] DEBUG: 2384: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\ATL (0x19000 bytes).
2025-12-09 07:12:01,055 [root] DEBUG: 2384: DLL loaded at 0x000007FEF86D0000: C:\Windows\system32\VssTrace (0x17000 bytes).
2025-12-09 07:12:01,055 [root] DEBUG: 2384: DLL loaded at 0x000007FEFB150000: C:\Windows\system32\samcli (0x14000 bytes).
2025-12-09 07:12:01,055 [root] DEBUG: 2384: DLL loaded at 0x000007FEFBBD0000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2025-12-09 07:12:01,055 [root] DEBUG: 2384: DLL loaded at 0x000007FEFB190000: C:\Windows\system32\netutils (0xc000 bytes).
2025-12-09 07:12:01,055 [root] DEBUG: 2384: DLL loaded at 0x000007FEFAC90000: C:\Windows\system32\es (0x67000 bytes).
2025-12-09 07:12:01,071 [root] DEBUG: 2384: DLL loaded at 0x000007FEFBAA0000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2025-12-09 07:12:01,071 [root] DEBUG: 2384: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:12:01,086 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6C70000: C:\Windows\system32\wbem\wbemcore (0x12c000 bytes).
2025-12-09 07:12:01,086 [root] DEBUG: 2384: DLL loaded at 0x000007FEFC390000: C:\Windows\system32\VERSION (0xc000 bytes).
2025-12-09 07:12:01,102 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6B80000: C:\Windows\system32\wbem\esscli (0x62000 bytes).
2025-12-09 07:12:01,102 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6FE0000: C:\Windows\system32\wbem\FastProx (0xd3000 bytes).
2025-12-09 07:12:01,102 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6F60000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2025-12-09 07:12:01,102 [root] DEBUG: 2384: DLL loaded at 0x000007FEF68B0000: C:\Windows\system32\wbem\wbemsvc (0x13000 bytes).
2025-12-09 07:12:01,102 [root] DEBUG: 1856: DLL loaded at 0x745B0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 1856: DLL loaded at 0x74150000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 1856: DLL loaded at 0x74590000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 2384: DLL loaded at 0x000007FEFCC70000: C:\Windows\system32\authZ (0x2f000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6880000: C:\Windows\system32\wbem\wmiutils (0x21000 bytes).
2025-12-09 07:12:01,118 [root] DEBUG: 2384: set_hooks_by_export_directory: Hooked 0 out of 606 functions
2025-12-09 07:12:01,133 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6820000: C:\Windows\system32\wbem\repdrvfs (0x5a000 bytes).
2025-12-09 07:12:01,149 [root] DEBUG: 2384: DLL loaded at 0x000007FEFCCB0000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2025-12-09 07:12:01,274 [root] DEBUG: 2384: set_hooks_by_export_directory: Hooked 0 out of 606 functions
2025-12-09 07:12:01,274 [root] DEBUG: 2384: DLL loaded at 0x000007FEF66E0000: C:\Windows\system32\wbem\wmiprvsd (0xb5000 bytes).
2025-12-09 07:12:01,274 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6500000: C:\Windows\system32\NCObjAPI (0x12000 bytes).
2025-12-09 07:12:01,290 [root] DEBUG: 2384: OpenProcessHandler: Injection info created for process 556, handle 0x2d0: C:\Windows\System32\svchost.exe
2025-12-09 07:12:01,290 [root] DEBUG: 2384: DLL loaded at 0x000007FEF60E0000: C:\Windows\system32\wbem\wbemess (0x71000 bytes).
2025-12-09 07:12:01,368 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 812: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x000000013F730000
2025-12-09 07:12:01,368 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 812
2025-12-09 07:12:01,368 [lib.api.process] INFO: Monitor config for <Process 812 WmiPrvSE.exe>: C:\tmpug94sp1v\dll\812.ini
2025-12-09 07:12:01,368 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:12:01,399 [root] DEBUG: Loader: Injecting process 812 (thread 1648) with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:01,399 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:01,399 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:01,399 [lib.api.process] INFO: Injected into 64-bit <Process 812 WmiPrvSE.exe>
2025-12-09 07:12:01,399 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 812
2025-12-09 07:12:01,399 [lib.api.process] INFO: Monitor config for <Process 812 WmiPrvSE.exe>: C:\tmpug94sp1v\dll\812.ini
2025-12-09 07:12:01,399 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:12:01,415 [root] DEBUG: Loader: Injecting process 812 (thread 1648) with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:01,415 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:01,415 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:01,415 [root] DEBUG: 2384: DLL loaded at 0x000007FEF6FA0000: C:\Windows\system32\wbem\ncprov (0x17000 bytes).
2025-12-09 07:12:01,430 [lib.api.process] INFO: Injected into 64-bit <Process 812 WmiPrvSE.exe>
2025-12-09 07:12:01,430 [root] DEBUG: 812: Python path set to 'C:\Python38'.
2025-12-09 07:12:01,430 [root] DEBUG: 812: Dropped file limit defaulting to 100.
2025-12-09 07:12:01,430 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:01,430 [root] DEBUG: 812: Services hook set enabled
2025-12-09 07:12:01,446 [root] DEBUG: 812: YaraInit: Compiled rules loaded from existing file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:12:01,461 [root] DEBUG: 812: Monitor initialised: 64-bit capemon loaded in process 812 at 0x000007FEF30B0000, thread 1648, image base 0x000000013F730000, stack from 0x0000000000180000-0x0000000000190000
2025-12-09 07:12:01,461 [root] DEBUG: 812: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2025-12-09 07:12:01,461 [root] DEBUG: 812: Hooked 69 out of 69 functions
2025-12-09 07:12:01,461 [root] INFO: Loaded monitor into process with pid 812
2025-12-09 07:12:01,461 [root] DEBUG: 812: DLL loaded at 0x000007FEFD110000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:12:01,461 [root] DEBUG: 812: DLL loaded at 0x000007FEFB120000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2025-12-09 07:12:01,461 [root] DEBUG: 812: DLL loaded at 0x000007FEFE460000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2025-12-09 07:12:01,477 [root] DEBUG: 812: DLL loaded at 0x000007FEFE7F0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:12:01,477 [root] DEBUG: 812: DLL loaded at 0x000007FEF7DB0000: C:\Windows\system32\wbem\wbemprox (0xe000 bytes).
2025-12-09 07:12:01,493 [root] DEBUG: 812: DLL loaded at 0x000007FEFCA50000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:12:01,493 [root] DEBUG: 812: DLL loaded at 0x000007FEFC750000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:12:01,493 [root] DEBUG: 812: DLL loaded at 0x000007FEFD200000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:12:01,493 [root] DEBUG: 812: DLL loaded at 0x000007FEF68B0000: C:\Windows\system32\wbem\wbemsvc (0x13000 bytes).
2025-12-09 07:12:01,493 [root] DEBUG: 2384: OpenProcessHandler: Injection info created for process 812, handle 0x54c: C:\Windows\System32\wbem\WmiPrvSE.exe
2025-12-09 07:12:01,508 [root] DEBUG: 812: DLL loaded at 0x000007FEF6880000: C:\Windows\system32\wbem\wmiutils (0x21000 bytes).
2025-12-09 07:12:01,524 [root] DEBUG: 812: DLL loaded at 0x000007FEF1990000: C:\Windows\system32\wbem\cimwin32 (0x1fa000 bytes).
2025-12-09 07:12:01,524 [root] DEBUG: 812: DLL loaded at 0x000007FEF3560000: C:\Windows\system32\framedynos (0x43000 bytes).
2025-12-09 07:12:01,540 [root] DEBUG: 812: DLL loaded at 0x000007FEF6DA0000: C:\Windows\system32\WINBRAND (0x8000 bytes).
2025-12-09 07:12:01,571 [root] DEBUG: 1856: NtTerminateProcess hook: Attempting to dump process 1856
2025-12-09 07:12:01,571 [root] DEBUG: 1856: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:01,571 [root] INFO: Process with pid 1856 has terminated
2025-12-09 07:12:08,430 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1460, handle 0x610: C:\Windows\System32\taskeng.exe
2025-12-09 07:12:08,555 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2808, handle 0x610: C:\Windows\System32\taskeng.exe
2025-12-09 07:12:09,055 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1260, handle 0x3fc: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
2025-12-09 07:12:10,758 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1272, handle 0x3fc: C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe
2025-12-09 07:12:10,774 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1208, handle 0x3fc: C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe
2025-12-09 07:12:20,180 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 932: C:\Windows\system32\DllHost.exe, ImageBase: 0x00000000FF6D0000
2025-12-09 07:12:20,211 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 932
2025-12-09 07:12:20,211 [lib.api.process] INFO: Monitor config for <Process 932 dllhost.exe>: C:\tmpug94sp1v\dll\932.ini
2025-12-09 07:12:20,211 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:12:20,274 [root] DEBUG: Loader: Injecting process 932 (thread 2296) with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:20,274 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:20,290 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:20,305 [lib.api.process] INFO: Injected into 64-bit <Process 932 dllhost.exe>
2025-12-09 07:12:20,305 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 932
2025-12-09 07:12:20,305 [lib.api.process] INFO: Monitor config for <Process 932 dllhost.exe>: C:\tmpug94sp1v\dll\932.ini
2025-12-09 07:12:20,321 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:12:20,321 [root] DEBUG: Loader: Injecting process 932 (thread 2296) with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:20,321 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:20,321 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:20,321 [lib.api.process] INFO: Injected into 64-bit <Process 932 dllhost.exe>
2025-12-09 07:12:20,352 [root] DEBUG: 932: Python path set to 'C:\Python38'.
2025-12-09 07:12:20,352 [root] DEBUG: 932: Dropped file limit defaulting to 100.
2025-12-09 07:12:20,368 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:20,368 [root] DEBUG: 932: YaraInit: Compiled rules loaded from existing file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:12:20,368 [root] DEBUG: 932: YaraScan: Scanning 0x00000000FF6D0000, size 0x6012
2025-12-09 07:12:20,368 [root] DEBUG: 932: Monitor initialised: 64-bit capemon loaded in process 932 at 0x000007FEF30B0000, thread 2296, image base 0x00000000FF6D0000, stack from 0x00000000002C5000-0x00000000002D0000
2025-12-09 07:12:20,368 [root] DEBUG: 932: Commandline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
2025-12-09 07:12:20,368 [root] DEBUG: 932: GetAddressByYara: ModuleBase 0x0000000077760000 FunctionName LdrpCallInitRoutine
2025-12-09 07:12:20,383 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:12:20,383 [root] DEBUG: 932: set_hooks: Unable to hook LockResource
2025-12-09 07:12:20,383 [root] DEBUG: 932: Hooked 605 out of 606 functions
2025-12-09 07:12:20,383 [root] INFO: Loaded monitor into process with pid 932
2025-12-09 07:12:20,383 [root] DEBUG: 932: caller_dispatch: Added region at 0x00000000FF6D0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000000FF6D11B5, thread 2296).
2025-12-09 07:12:20,399 [root] DEBUG: 932: YaraScan: Scanning 0x00000000FF6D0000, size 0x6012
2025-12-09 07:12:20,399 [root] DEBUG: 932: ProcessImageBase: Main module image at 0x00000000FF6D0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:20,399 [root] DEBUG: 932: DLL loaded at 0x000007FEFD110000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:12:20,399 [root] DEBUG: 932: DLL loaded at 0x000007FEFE7F0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:12:20,399 [root] DEBUG: 932: DLL loaded at 0x000007FEFEB70000: C:\Windows\system32\OLEAUT32 (0xdb000 bytes).
2025-12-09 07:12:20,415 [root] DEBUG: 932: DLL loaded at 0x000007FEFCA50000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:12:20,430 [root] DEBUG: 932: DLL loaded at 0x000007FEFC750000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:12:20,430 [root] DEBUG: 932: DLL loaded at 0x000007FEFD200000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFB9F0000: C:\Windows\system32\uxtheme (0x56000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFDC70000: C:\Windows\System32\wininet (0x4ac000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFD650000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFD2E0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFC390000: C:\Windows\system32\version (0xc000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFD2D0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x0000000077900000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:12:20,446 [root] DEBUG: 932: DLL loaded at 0x000007FEFE190000: C:\Windows\system32\iertutil (0x2cc000 bytes).
2025-12-09 07:12:20,461 [root] DEBUG: 932: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:12:20,461 [root] DEBUG: 932: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\USERENV (0x1f000 bytes).
2025-12-09 07:12:20,461 [root] DEBUG: 932: DLL loaded at 0x000007FEFD2B0000: C:\Windows\system32\profapi (0xf000 bytes).
2025-12-09 07:12:20,461 [root] DEBUG: 932: DLL loaded at 0x000007FEFD330000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:20,477 [root] DEBUG: 932: DLL loaded at 0x000007FEFCEC0000: C:\Windows\system32\Secur32 (0xb000 bytes).
2025-12-09 07:12:20,477 [root] DEBUG: 932: DLL loaded at 0x000007FEFECB0000: C:\Windows\system32\SHELL32 (0xd8b000 bytes).
2025-12-09 07:12:20,508 [root] DEBUG: 932: DLL loaded at 0x000007FEF9A20000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:12:20,508 [root] DEBUG: 932: DLL loaded at 0x000007FEF85C0000: C:\Windows\system32\winhttp (0x71000 bytes).
2025-12-09 07:12:20,508 [root] DEBUG: 932: DLL loaded at 0x000007FEF8550000: C:\Windows\system32\webio (0x65000 bytes).
2025-12-09 07:12:20,524 [root] DEBUG: 932: DLL loaded at 0x000007FEFC9F0000: C:\Windows\system32\mswsock (0x55000 bytes).
2025-12-09 07:12:20,524 [root] DEBUG: 932: DLL loaded at 0x000007FEFC9E0000: C:\Windows\System32\wship6 (0x7000 bytes).
2025-12-09 07:12:20,524 [root] DEBUG: 932: DLL loaded at 0x000007FEFAB40000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2025-12-09 07:12:20,524 [root] DEBUG: 932: DLL loaded at 0x000007FEFABE0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2025-12-09 07:12:21,571 [root] DEBUG: 2384: caller_dispatch: Added region at 0x00000000FF1E0000 to tracked regions list (ntdll::NtWaitForSingleObject returns to 0x00000000FF1E1318, thread 2412).
2025-12-09 07:12:21,571 [root] DEBUG: 2384: YaraScan: Scanning 0x00000000FF1E0000, size 0xa052
2025-12-09 07:12:21,571 [root] DEBUG: 2384: ProcessImageBase: Main module image at 0x00000000FF1E0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:23,883 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1600, handle 0x4ac: C:\Windows\System32\schtasks.exe
2025-12-09 07:12:23,915 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1544, handle 0x4ac: C:\Windows\System32\schtasks.exe
2025-12-09 07:12:23,930 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 2264, handle 0x4ac: C:\Windows\System32\schtasks.exe
2025-12-09 07:12:25,524 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
2025-12-09 07:12:25,524 [root] INFO: Process with pid 932 has terminated
2025-12-09 07:12:25,524 [root] DEBUG: 932: NtTerminateProcess hook: Attempting to dump process 932
2025-12-09 07:12:25,524 [root] DEBUG: 932: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:12:46,180 [root] DEBUG: 556: OpenProcessHandler: Injection info created for process 1180, handle 0x5a0: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
2025-12-09 07:12:46,321 [root] DEBUG: 556: CreateProcessHandler: Injection info set for new process 2160: C:\Windows\system32\DllHost.exe, ImageBase: 0x00000000FF5E0000
2025-12-09 07:12:46,336 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 2160
2025-12-09 07:12:46,336 [lib.api.process] INFO: Monitor config for <Process 2160 dllhost.exe>: C:\tmpug94sp1v\dll\2160.ini
2025-12-09 07:12:46,352 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:12:46,352 [root] DEBUG: Loader: Injecting process 2160 (thread 1952) with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:46,368 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:12:46,368 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:46,368 [lib.api.process] INFO: Injected into 64-bit <Process 2160 dllhost.exe>
2025-12-09 07:12:46,368 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 2160
2025-12-09 07:12:46,368 [lib.api.process] INFO: Monitor config for <Process 2160 dllhost.exe>: C:\tmpug94sp1v\dll\2160.ini
2025-12-09 07:12:46,368 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpug94sp1v\dll\QXJySv.dll, loader C:\tmpug94sp1v\bin\GzBBPzDS.exe
2025-12-09 07:12:46,399 [root] DEBUG: Loader: Injecting process 2160 (thread 1952) with C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:46,399 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:12:46,399 [root] DEBUG: Successfully injected DLL C:\tmpug94sp1v\dll\QXJySv.dll.
2025-12-09 07:12:46,399 [lib.api.process] INFO: Injected into 64-bit <Process 2160 dllhost.exe>
2025-12-09 07:12:46,399 [root] DEBUG: 2160: Python path set to 'C:\Python38'.
2025-12-09 07:12:46,399 [root] DEBUG: 2160: Dropped file limit defaulting to 100.
2025-12-09 07:12:46,399 [root] INFO: Disabling sleep skipping.
2025-12-09 07:12:46,399 [root] DEBUG: 2160: YaraInit: Compiled rules loaded from existing file C:\tmpug94sp1v\data\yara\capemon.yac
2025-12-09 07:12:46,399 [root] DEBUG: 2160: YaraScan: Scanning 0x00000000FF5E0000, size 0x6012
2025-12-09 07:12:46,415 [root] DEBUG: 2160: Monitor initialised: 64-bit capemon loaded in process 2160 at 0x000007FEF30B0000, thread 1952, image base 0x00000000FF5E0000, stack from 0x00000000001A6000-0x00000000001B0000
2025-12-09 07:12:46,415 [root] DEBUG: 2160: Commandline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
2025-12-09 07:12:46,415 [root] DEBUG: 2160: GetAddressByYara: ModuleBase 0x0000000077760000 FunctionName LdrpCallInitRoutine
2025-12-09 07:12:46,430 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-09 07:12:46,430 [root] DEBUG: 2160: set_hooks: Unable to hook LockResource
2025-12-09 07:12:46,430 [root] DEBUG: 2160: Hooked 605 out of 606 functions
2025-12-09 07:12:46,446 [root] INFO: Loaded monitor into process with pid 2160
2025-12-09 07:12:46,446 [root] DEBUG: 2160: caller_dispatch: Added region at 0x00000000FF5E0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000000FF5E11B5, thread 1952).
2025-12-09 07:12:46,446 [root] DEBUG: 2160: YaraScan: Scanning 0x00000000FF5E0000, size 0x6012
2025-12-09 07:12:46,446 [root] DEBUG: 2160: ProcessImageBase: Main module image at 0x00000000FF5E0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:12:46,446 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD110000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-12-09 07:12:46,446 [root] DEBUG: 2160: DLL loaded at 0x000007FEFE7F0000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-12-09 07:12:46,446 [root] DEBUG: 2160: DLL loaded at 0x000007FEFEB70000: C:\Windows\system32\OLEAUT32 (0xdb000 bytes).
2025-12-09 07:12:46,477 [root] DEBUG: 2160: DLL loaded at 0x000007FEFCA50000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-12-09 07:12:46,477 [root] DEBUG: 2160: DLL loaded at 0x000007FEFC750000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-12-09 07:12:46,477 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD200000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-12-09 07:12:46,493 [root] DEBUG: 2160: DLL loaded at 0x000007FEFB9F0000: C:\Windows\system32\uxtheme (0x56000 bytes).
2025-12-09 07:12:46,586 [root] DEBUG: 2160: DLL loaded at 0x000007FEFDC70000: C:\Windows\System32\wininet (0x4ac000 bytes).
2025-12-09 07:12:46,586 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD650000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:46,602 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD2E0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:46,602 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:46,633 [root] DEBUG: 2160: DLL loaded at 0x000007FEFC390000: C:\Windows\system32\version (0xc000 bytes).
2025-12-09 07:12:46,633 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD2D0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2025-12-09 07:12:46,633 [root] DEBUG: 2160: DLL loaded at 0x0000000077900000: C:\Windows\system32\normaliz (0x3000 bytes).
2025-12-09 07:12:46,649 [root] DEBUG: 2160: DLL loaded at 0x000007FEFE190000: C:\Windows\system32\iertutil (0x2cc000 bytes).
2025-12-09 07:12:46,680 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2025-12-09 07:12:46,696 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\USERENV (0x1f000 bytes).
2025-12-09 07:12:46,727 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD2B0000: C:\Windows\system32\profapi (0xf000 bytes).
2025-12-09 07:12:46,727 [root] DEBUG: 2160: DLL loaded at 0x000007FEFD330000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2025-12-09 07:12:46,743 [root] DEBUG: 2160: DLL loaded at 0x000007FEFCEC0000: C:\Windows\system32\Secur32 (0xb000 bytes).
2025-12-09 07:12:46,758 [root] DEBUG: 2160: DLL loaded at 0x000007FEFECB0000: C:\Windows\system32\SHELL32 (0xd8b000 bytes).
2025-12-09 07:12:46,758 [root] DEBUG: 2160: DLL loaded at 0x000007FEF9A20000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2025-12-09 07:12:46,774 [root] DEBUG: 2160: DLL loaded at 0x000007FEF85C0000: C:\Windows\system32\winhttp (0x71000 bytes).
2025-12-09 07:12:46,805 [root] DEBUG: 2160: DLL loaded at 0x000007FEF8550000: C:\Windows\system32\webio (0x65000 bytes).
2025-12-09 07:12:46,821 [root] DEBUG: 2160: DLL loaded at 0x000007FEFC9F0000: C:\Windows\system32\mswsock (0x55000 bytes).
2025-12-09 07:12:46,821 [root] DEBUG: 2160: DLL loaded at 0x000007FEFC9E0000: C:\Windows\System32\wship6 (0x7000 bytes).
2025-12-09 07:12:46,836 [root] DEBUG: 2160: DLL loaded at 0x000007FEFAB40000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2025-12-09 07:12:46,836 [root] DEBUG: 2160: DLL loaded at 0x000007FEFABE0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2025-12-09 07:12:51,805 [root] INFO: Process with pid 2160 has terminated
2025-12-09 07:12:51,805 [root] DEBUG: 2160: NtTerminateProcess hook: Attempting to dump process 2160
2025-12-09 07:12:51,805 [root] DEBUG: 2160: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:31,446 [root] DEBUG: 812: NtTerminateProcess hook: Attempting to dump process 812
2025-12-09 07:13:31,446 [root] DEBUG: 812: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:13:31,446 [root] INFO: Process with pid 812 has terminated
2025-12-09 07:14:55,586 [root] INFO: Analysis timeout hit, terminating analysis
2025-12-09 07:14:55,586 [lib.api.process] INFO: Terminate event set for <Process 556 svchost.exe>
2025-12-09 07:14:55,586 [root] DEBUG: 556: Terminate Event: Attempting to dump process 556
2025-12-09 07:14:55,586 [root] DEBUG: 556: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:14:55,586 [root] DEBUG: 556: Terminate Event: Current region empty
2025-12-09 07:14:55,586 [root] DEBUG: 556: Terminate Event: CAPE shutdown complete for process 556
2025-12-09 07:14:55,586 [lib.api.process] INFO: Termination confirmed for <Process 556 svchost.exe>
2025-12-09 07:14:55,586 [root] INFO: Terminate event set for process 556
2025-12-09 07:14:55,586 [lib.api.process] INFO: Terminate event set for <Process 2384 svchost.exe>
2025-12-09 07:14:55,586 [root] DEBUG: 2384: Terminate Event: Attempting to dump process 2384
2025-12-09 07:14:55,586 [root] DEBUG: 2384: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:14:55,586 [root] DEBUG: 2384: Terminate Event: Current region empty
2025-12-09 07:14:55,586 [lib.api.process] INFO: Termination confirmed for <Process 2384 svchost.exe>
2025-12-09 07:14:55,586 [root] INFO: Terminate event set for process 2384
2025-12-09 07:14:55,586 [root] DEBUG: 2384: Terminate Event: CAPE shutdown complete for process 2384
2025-12-09 07:14:55,586 [root] INFO: Created shutdown mutex
2025-12-09 07:14:56,586 [root] INFO: Shutting down package
2025-12-09 07:14:56,586 [root] INFO: Stopping auxiliary modules
2025-12-09 07:14:56,586 [root] INFO: Stopping auxiliary module: Browser
2025-12-09 07:14:56,586 [root] INFO: Stopping auxiliary module: Curtain
2025-12-09 07:14:56,633 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765235696.6337888.curtain.log; Size is 36; Max size: 100000000
2025-12-09 07:14:56,633 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-09 07:14:56,633 [root] INFO: Stopping auxiliary module: Evtx
2025-12-09 07:14:56,633 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2025-12-09 07:14:56,633 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-09 07:14:56,633 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-09 07:14:56,633 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-09 07:14:56,649 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\OAlerts.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump
2025-12-09 07:14:56,665 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-09 07:14:56,696 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-09 07:14:56,696 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 98332; Max size: 100000000
2025-12-09 07:14:56,696 [root] INFO: Stopping auxiliary module: Human
2025-12-09 07:14:56,836 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-09 07:14:56,836 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-09 07:15:01,321 [root] INFO: Stopping auxiliary module: Usage
2025-12-09 07:15:02,430 [root] INFO: Stopping auxiliary module: During_script
2025-12-09 07:15:02,430 [root] INFO: Finishing auxiliary modules
2025-12-09 07:15:02,430 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-09 07:15:02,430 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat to files\76583c27a362f61dfb9ae5b76b869851fab55c2c67559ac0534ebe82b390c072; Size is 128; Max size: 100000000
2025-12-09 07:15:02,430 [root] WARNING: Folder at path "C:\vZreiI\debugger" does not exist, skipping
2025-12-09 07:15:02,430 [root] WARNING: Folder at path "C:\vZreiI\tlsdump" does not exist, skipping
2025-12-09 07:15:02,430 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win7-64bit-1 | win7-64bit-1 | KVM | 2025-12-09 15:14:02 | 2025-12-09 15:17:24 | inetsim |
File Details
| File Name |
red_core.exe
|
|---|---|
| File Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File Size | 1236992 bytes |
| MD5 | 1b6bcbb38921caf347df0a21955771a6 |
| SHA1 | f464ca710afb55186e842ecbc550b55174f9261c |
| SHA256 | 0c3fc578835db3d9fab6839b0501c274c0e0b739fa0d4c102e21d5f228468d87 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 317e2b885809218fa3a54956aace1ac0868d0e5f0d51bc29dfb221fe382d7327a30b4b8bf474ae0ad65eaa3e6725264a |
| CRC32 | D419F5E1 |
| TLSH | T13D45D010B681C437E0AB113445EB93765AAE78311B7AD4CBF7C49B3A2D616D1EB3438E |
| Ssdeep | 12288:y5j+6tvqy0JxsIWTrWqI4KxZdfh4gI/JA6hxc:y5j+6tvqyPLTrQzWvhx |
| PE | File Strings BinGraph Vba2Graph |
C+PjUV
A~w;/u
+":kX
1+1D1b1y1
- unexpected multithread lock error
-j:xC:
3I3N3_3i3s3x3
GetCurrentThreadId
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
H~N^/
RegSetValueExW
new[]
XUP-[w\
kX(c>
:!:y;
wFQzm
zcFAH
- not enough space for environment
tXFVP
Complete Object Locator'
>TalM
[Left]
095d#
RpcBindingFree
<?jH-
LC_MONETARY
k`='m
tx)V0!B
LoadLibraryW
CoCreateInstance failed: 0x%08lx
GetTimeZoneInformation
united-states
.ShellClassInfo
spanish-panama
*vw3$
9*949j9t9
Q@Qc-
5/6_6l6p6t6x6|6
GetWindowTextW
/+2rh
/z.:`T
0'0M0X0t0)1<1
7"8)8
npze|zL
.?AVlength_error@std@@
HeapCreate
7C7|7
nRX$*
F$9F t
CLPjQV
__ptr64
Sgtv<
GetTickCount
`RTTI
FlsAlloc
2+q9=
dSr^$
"V|MFU
Pf`)T&
ShellTime
E^O2&`4
`a5WH
?9?W?
.?AVout_of_range@std@@
[WIN]
;7|G;p
invalid distance code
operator
E'*88
portuguese-brazilian
.?AV?$codecvt@DDH@std@@
GetVersionExW
j)Z:)
.?AVfacet@locale@std@@
UnregisterClassW
2|fAo
Channel %s was not found.
b`p+s
Win%s %s
='=7=D=V=[=`=e=j=o=
8-9U9
jd_Fj
F`PjNS
m'QO*
p51WD
737E7J7P7B8
Read-only file system
T$@Rj
!n!R\
^(G)a
WriteConsoleW
G`9Gh
!v+Pz
X)$(9
O@;H(s
_oVVi|
?0?P?p?
invalid string position
:f;x;
[F11]
SWf9M
Pf95 /
GetUserNameA
InitializeCriticalSectionAndSpinCount
Il|T1
2E2c2
2.2U2b2h2
incompatible version
.rv?H&
AUX7p
9y@~k
lG*|a{
.?AUctype_base@std@@
\ouv}
u WPS
OaG50
Content-Length: %d
Parameters
WPhL,
TlsAlloc
0XXIf/
bad locale name
australian
6r' 3
;3=E=K=Q=X=a=h=n=u=
$Bk&l
C*PjTV
@_^[]
D+'04
*9PJ?
ServiceDll
:Cw@r`Y
n(9n$u
LoadLibraryA
1L2d2j2
f-]F)
Authorized application %lS is now enabled in the firewall.
CloseServiceHandle
chinese-simplified
}sD!O
rU;WE
;+;7;S;`;l;y;
292@2D2H2L2P2T2X2\2
F\PjMS
LockResource
holland
]?<644
n&@Sf-
dbHm$
0#0,02080K0^0p0
explorer.exe
R6026
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
\RCoRes64.dat
Tuesday
20f\d
%s: unrecognized option '--%s'
kP;~Cq
spanish-dominican republic
>t99k
LLH@;
gtuNd
DeleteFileW
@}eixU
O5K&$d|
english-ire
"C,Rj
bXWL9
MultiByteToWideChar
J4*L-
A4+C4t
GetPrivateProfileStringW
'\Ob0LI?].[
700PP
lop&z
09i\3
Pe]Bv
america
GetUserNameW
z)}9<
v|G,z
Process32NextW
~$9~ ~
fsO9s
SUVW
2 2$2,2D2T2X2h2l2p2x2
O*9y]
+NBW<
?hSdM
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
unknown compression method
No error
RpcStringFreeA
"~e<d
`8i1KR
PQj2R
GetModuleHandleW
2%272I2
>_f0|:
hzT3Yz
.?AVbad_alloc@std@@
optarg_w
,[&-59
>$>2>
ImpersonateLoggedOnUser
:@;S;
abcdefghijklmnopqrstuvwxyz
-.c";,:
35&2i
0DO3P
R1h58
LocalizedResourceName64
asm686 with masm, optimised assembly code from Brian Raiter, written 1998
GetTokenInformation
~a!!a!!
Qkkbal
OpenSCManagerW
UE,3j4
GmRD$
pr-china
0`htU6
L$@Qj
SetHandleCount
`vector vbase copy constructor iterator'
insufficient memory
wY0Un)BJ
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
Ro=o>?
Friday
>9~$~
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
'--%s'
;-;[;v;
Q5No3
chinese
RegOpenKeyExA
__clrcall
opterr
[jXL<
6cVsA
south africa
\pipe\ntsvcs
__thiscall
6*6Z6
No such device
PjOSj
tej=S
FhPj8S
winlogon.exe
spanish-modern
T$ Rj
zsKC.
;t$,v-
(?F3J:
\0Ro$j}
spanish-costa rica
EncodePointer
Bad file descriptor
<+<D<K<l<~<
<%<*<1<6<<<B<G<O<U<Z<n<
VirtualProtect
english-caribbean
[}8Q}
AdjustTokenPrivileges
- not enough space for stdio initialization
EnterCriticalSection
%s: option '-W %s' doesn't allow an argument
GetFileType
9/9D9P9g9
GetStdHandle
FindResourceExW
&|3K
Not enough space
;:?D?T?
}AbK8>$
vPR_/
!^)M{
<J>C/
WWWWQR
/65&>Y
\$(+^
GetLogicalDrives
515L5V5[5s5}5
j@j ^V
HHty+
;(;0;4;L;P;`;
ewh/?y
9c@O83
oDvm>
D$ )D$
,x#\ k
jdShTB
Vl+Vp
<_xIX
;=;J;m;t;y;~;
,UgLw
SetFilePointer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost
\$Dj8
H
[CTRL]
__cdecl
ConnBody
4L4l4A7c7
Not a directory
Resource deadlock avoided
Type Descriptor'
g".C~
[Home]
OM{]s
[Ixj!
MJZ;n
wLBg
2L3d3
[Time]: %04d-%02d-%02d %02d:%02d:%02d
FtPj;S
k>\y,
OpenServiceW
?&?U?
www.%s.com
? ?*?<?A?K?W?a?k?w?
Gh9Ghr
#+3;CScs
8-9P9[9~9
V_:X1:
generic
COMSysSvc
CreateProcessW
;V;[;m;
tdVQh
uivPG
3=!bW
CorExitProcess
File too large
b;R@Q
Global\{CB191C19-1D2D-45FC-9092-6DB462EFEAC6}
`eh vector vbase constructor iterator'
6$747
(null)
5{<El9']
- Attempt to use MSIL code from this assembly during native code initialization
671{!
spanish-honduras
C9r9e(
{728264DE-3701-419B-84A4-2AD86B0C43A3}
~bO1P
EfFrEF
_getopt_long_only_a@20
5.6B6b6g6<8C8
,W|G&`sd
8!8)81898B8K8W8c8p8w8
(i|LihX
cxy{u
,V{S&E4
xGFf5
3 3/34393
0%0/04090>0E0L0Q0V0[0b0i0o0t0{0
RpcBindingFromStringBindingW
;= 7zdS
spanish-puerto rico
=L9o<
D$DWWj
p=,Y3LP
L$$_^[3
GetCommandLineA
~X2Vh]%
t$(J2
bi{bh
WRh`/
english-belize
Microsoft-Delivery-Optimization/10.0
HeapDestroy
SHLWAPI.dll
.?AV?$_Iosb@H@std@@
german-lichtenstein
DeleteCriticalSection
D$(Ph
RPVW3
1a&.AnVF
8+8^8
`h`hhh
Q'NN&
%B+'J
f!K5k
COMSvcGroup
Z nzs
<program name unknown>
`udt returning'
hUy5@)us
`placement delete closure'
WindowsFirewallInitialize failed: 0x%08lx
<`>d>h>l>p>t>x>|>
%s: option '--%s' requires an argument
**3~C
invalid bit length repeat
TTl@;
SysAllocString failed: 0x%08lx
CreateFileW
No locks available
CreateService Faild Because Service is ERROR_SERVICE_EXISTS!
[Down]
6J7g7
spanish-uruguay
SetUnhandledExceptionFilter
s'MLG
3d3s3
hong-kong
xpxxxx
NHqa}
=CbZ+
:vp=c
r!S~8
3"3N3U3z3
CoCreateInstance
.text
JXX'b
RtlUnwind
R6032
=$=9=
6*696
:!:@:E:J:P:X:
=:>I>
_getopt_long_only_w@20
q#2;Xa
;T$$f
'Jp,}|
:';7;
&$(Ug
>:u8FV
<security>
3m3}3
<P+T1
american-english
~I$1:
'ao^8
ineIu(
8Z$pc
718<8M8Y8a8g8v8
HeapReAlloc
f*(^+
bad exception
0$0)0A0d0h0o0s0z0~0
;4;o;
norwegian
_getopt_long_w@20
.?AV_Iostream_error_category@std@@
T#-H%
Directory not empty
:g873
am/pm
RegOverridePredefKey
http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s
invalid distances set
qcwnO
Is a directory
VirtualAlloc
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
7S8a8
( 8PX
;7`]cDe
>?j=j
ToieAX*
^e>{SL
FreeEnvironmentStringsW
3%4*4>4M4
>ZbS?
RtlGetVersion
2-2A2G2
[ E<O
Fb:U;
November
IsValidLocale
\cS0~u
pm#k{
608v9
7d7i7o7
7J7Q7X7e7w7
49563
.UG@:
> >J>P>V>l>
L$,Qh
SetEnvironmentVariableW
runtime error
w.SkX
`vbase destructor'
`vector deleting destructor'
*wDE?
%SystemRoot%\system32\svchost.exe -k
&0,0004080
4}<)}A
YM:@+
:QZje
ncacn_np
system
:P;_<
6Aymz
QHG\B
[PageUp]
L$`QR
=gXLn
RnDUFvdXN
D$8t1
G u<Y%
.?AVfailure@ios_base@std@@
S0Y0c0
[ESC]
2"393
>W>c>h>r>
}Do(@_he
DestroyEnvironmentBlock
\j,N)
|620/
!ryyx(
<$<0<<<S<e<q<~<
q![X.
GetFileSize
October
english-aus
R6008
[Num Lock]
spanish-mexican
f9;u
No such file or directory
44)2=
A/^E2
Ad}oJ.
ios_base::failbit set
ExitProcess
%s: unrecognized option '%c%s'
0ZL-i
R6019
Runtime Error!
t$HHt
File exists
qmdvucpg~oKAPMQMDV~uKLFMUQ~aWPPGLVtGPQKML~pWL
>%- B
lPB9}[0
<$xDx
][_^Y
R6016
9](SS
*0;|j
GetForegroundWindow
=H>j>z>
%F2KUO
UnhandledExceptionFilter
<5-rL
282@2L2l2t2
mscoree.dll
7Fn(i
[Context]:
;(v3N
LoadResource
-!/!_
F8PjDS
DefWindowProcW
CreateMutexW
HeapAlloc
MLMqY
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
IconResource64
8&9:9Q9j9x9
Genuu8
UTF-16LE
%s: option '-W %s' requires an argument
SetThreadContext
lstrcpyW
S3N}^
5!5&5+505g5
oF ej
english-american
VVVVV
SING error
-pVvF
<!<'<;<A<K<R<_<e<
3?3g3m3u3
wf93t
Class Hierarchy Descriptor'
?If90t
HMEr;)
J!=!7
TASKKILL /F /IM rundll32.exe
:Sj$h
delete
u$h@2
tRHtC
="=.=:=E=
GetProcessWindowStation
@PAQBR
xQ(-a
%03X%02X%02X%02X
get_LocalPolicy failed: 0x%08lx
t VV9u
@o'EF~
ProxyServer
Resource device
RpcStringBindingComposeA
Server: nginx/1.4.7
!sMXH
0)0@0Z0a0o0~0
RegCreateKeyW
put_ProcessImageFileName failed: 0x%08lx
LoadUserProfileW
8\cVD
PPPPPPPP
1(181<1L1P1X1p1
w+OQvr
[Title]: %s
3>1>6
2P4T4X4t4x4
4%4B4Z4_4d4i4n4
HtbHu
RWSVP
^ujwQ
9~Ttf
invalid code lengths set
(@<`*`.
{D9AE3AB0-D123-4F38-A9BE-898C8D49A214}
818D8
Y_^[]
\`%^UY
CY</#
Hardware\Description\System\CentralProcessor\0
`vector destructor iterator'
UnloadUserProfile
FTPjKS
6D{T[
mLRmw
qr8yu
[-&LMb#{'
2"2/292?2D2K2d2v2|2
1 1$1(1,1014181<1@1D1
canadian
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Cookie: %s
tSj=V
__eabi
xSSSh
RPCRT4.dll
rZc9hiq
spanish-guatemala
=\=~=
tna[h<
WindowsFirewallAddApp failed: 0x%08lx
`h````
/$ah<
_ej+y
[N;E{
O(9O$u
GetProcAddress
CHPjPV
FxPj<S
TlsGetValue
_S.FYN@
2@3K3U3f3q315B5J5P5U5[5
QRh -
Permission denied
invalid block type
6E9za2
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
\d^uG
- not enough space for thread data
GetLastError
>oqTn>`x
Y0J}l
Norwegian-Nynorsk
SYSTEM
5)IZ$
5l?@(
dkmr}
7#7G7M7S7b7h7
T@{9{
D$0^][_
//EQ@
F<PjES
!UX:P
|!y~0
wn>Jj
svchost.exe
D$\V3
6]6i6}6
`vector constructor iterator'
Interrupted function call
nGE;5
=,=I=S=h=
YQ$Uc
RegOpenKeyExW
6D7J7X7b7l7w7}7
%s: option requires an argument -- '%c'
WU?CeA
Sunday
C.PjRV
CjRnY?
P1T1X1\1`1d1h1l1p1t1x1|1
u 23X
=e@;}dK
?#?<?Z?
M-QMS
>+>3>8>=>B>G>L>\>i>o>z>
D$<j(
Improper link
- CRT not initialized
T#3aK
GetLocaleInfoA
T!FrY
0;1tt
3p$ )
^TcHJr'
IsBadReadPtr
Sleep
WOW64
-/<Bk]
]H7K#
z^>]x
GetShortPathNameW
>%:Dk
I?{xK
o~08t
9 9<9@9`9
XBoxDllShellCode.dll
4$4*4=4M4U4
H\$v<@
SHGetSpecialFolderPathW
Saturday
F(Pj,S
Vlf+Vd
!! Ij
Result too large
FP|Xt:
zuxVV
.?AV_Generic_error_category@std@@
__stdcall
:a=r?dE
000@0H0\0d0x0
9] SS
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
IconResourceDns
D$(+D$
{g]^p
vYslJ
Function not implemented
8I9v9
R6028
Y:wZ"
}u+sWME}
1&1.1>1V1q1v1
QPhP.
or?"gUgW
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
#k+TSpMV
_RZc=
c#tKN
t$D#t$
FR^.,
JT.6n
GetCurrentProcess
Unknown error
T$PWR
`typeof'
2!3Z3
- pure virtual function call
lL(k+
`eh vector copy constructor iterator'
.!S<f`
.?AVios_base@std@@
invalid literal/lengths set
>0>P>l>p>
r(-C,mQ
jjUdE
~7 4y
SizeofResource
</security>
575I5c5}5
#bML"
JDd+~+iG+i
((((( H
aFZjUU
england
:8:h:z:
HODkF
Filename too long
2V2f3x3
dddd, MMMM dd, yyyy
CreateToolhelp32Snapshot
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2x2|2
BQNmn
F@PjFS
xi,mQy
V<GNc
slovak
1;1B1O1a1~1
?"?1?=?
700WP
79FJQ
f^p]p
s*`pR
Agent
*08>5
get_Enabled failed: 0x%08lx
WriteFile
1?1E1K1
LC_ALL
1:CRc\
5\ \#
[,T x0o
=*>?>H>
9d9s9
&psid=
8-999
[F12]
=z!O^
>$>+>2>9>@>G>N>V>^>f>r>{>
]qe1vu
)\ZEo^m/
l~!#S.
WS2_32.dll
GetAsyncKeyState
<requestedPrivileges>
9>:l:L;
IsDebuggerPresent
r}Ta]
8R{lR
OpenThreadToken
CoInitializeEx failed: 0x%08lx
@.data
FlsFree
F0Pj.S
HttpQueryInfoW
kT0 ~
tvHt#
`eh vector destructor iterator'
ntelu0
WININET.dll
F4Pj/S
|=~?=
L$@Qh,3
.?AVlogic_error@std@@
Domain error
american
- unable to open console device
T$$QUR
4&636
`omni callsig'
Unknown exception
\Parameters\
?s/Zo[
FlsGetValue
`w-8f
oFD><
Q(yA]
8 8,8`8
- floating point support not loaded
optind
<mo84
south-africa
Y!3\s
xppwpp
5%Tf@
3 4.4\4n4s4y4b5
Authorized application %lS is disabled in the firewall.
t*=RCC
`dynamic initializer for '
HtcHt.
InternetCloseHandle
3rB5J
<*<;<t<
L$8QSRVP
6h7u7J8T8
.%J.&
647T7D8m8
4:4W4^4j4q4
spanish-peru
$m[/:
english-can
;ru.r
_ih\ip
Accept-Ranges: bytes
August
R6002
GetOEMCP
[Right]
spanish-ecuador
?5?<?C?s?
D$ j@h
Vista
P8X8`8h8p8x8
.?AVbad_exception@std@@
:D]LQ?
?I?u?
FPPjJS
StartServiceW
=MEw-b
A@(e\
- abort() has been called
]0e0v0
h(((( H
i_#Un
+>UV7
SYSTEM\CurrentControlSet\Services\
`local vftable'
norwegian-nynorsk
ILYhW
j3?-B
french-belgian
EdU/vbt
spanish-colombia
127.0.0.
6zJKv6
spanish-el salvador
;bweA
=T=f=
> ?$?(?,?0?4?8?<?@?D?
1 1$1D1d1
Q?se4
sCI?y8t
s~kAk
,@GU|G
4/4C4T4
`vector copy constructor iterator'
ios_base::badbit set
"M:J57
NJ2"v
YBFrh
9F9n9
EvtSubscribe
6;6N6
)UG6y
Too many open files in system
829d9
$z~#
1D1Q1f1
127.0.0.1
hQT`A
- not enough space for locale information
CreateService Faild Because Service is ERROR_IO_PENDING!
D$hSVWh
=bmd3
D$,uH
grpconv.exe
2s3}3
PS Mk9F;ul
1|f$;i
Oh;O\sR
incorrect length check
&!SGn
FBZ<L]I>
April
__restrict
delete[]
}@y$O&
?(X;9
C$PjQV
09-'M
1G2~2
H*0"ZOW
6H7L7P7T7
rso((
?3?:?D?V?m?{?
InterlockedDecrement
4"4)464V4`4
SSSSS
Z3UJM
DecodePointer
#lR[z
rEAi_)
T$(;P
s7NnN
Too many open files
2012 R2
qUjK`r
Exec format error
9MqLK]
C/PjSV
LCMapStringW
+H-}E#
A8]Cq
P,Q\&
header crc mismatch
TOpRj
german-luxembourg
`Ifr|
`default constructor closure'
j]jVY
URPQQh`
iostream
HeapFree
j#jh(e]
gM)
Ct*BU
.?AVsystem_error@std@@
oXQFD
0F0X0
tR99u2
h4vDl
`local static guard'
HTTP/1.
optarg_a
>)>i>w>
ABCDEFGHIJKLMNOPQRSTUVWXYZ
WriteProcessMemory
%s: invalid option -- '%c'
o5P^"
\ko}E
C,PjVV
dL!ar
1O2k2{2
*K[~Jh
UTF-8
Add failed: 0x%08lx
VirtualFree
|uo;H
Global\{E68DFA68-1132-4A32-ADE2-8C87F282C457}
R6024
031<1H1'2
GetCurrentThread
.?AVexception@std@@
IiGM>nw
F$Pj+Sj
8p~A8;
<7<B<I<
9T:g:|:
RvQ1nm
HHtk2
<(<-<><H<Q<]<g<q<
F|Pj=S
"z[)&oD
t(SSSj
Operation not permitted
u.95\#
0V0]0
J{[{Vs
)YkX>
:.:6:?:x:
=4Ein
InternetOpenUrlA
Hv83yP&
3'3m3
8"9K9\9p9
LA+@V
Supports System COM+ Service, If this service is disabled, users of this computer will not be able to use this service.
CreateProcessAsUserW
EJFZE
mjRry
=.?5?=?E?M?s?
Y__^[
uzu2{
Visual C++ CRT: Not enough memory to complete call to strerror.
yNbBo
stream error
:$:d:n:y:
Resource temporarily unavailable
L$(+L$
UDYiO
aZl[L
:E:o:
unknown header flags set
:*ot~eT
N|o?}
KG^;;
f#5Mf,C=
jjjjjh
#*I0<M[X
NZCe8[X
g!yVV
^oEZ_
QRh0+
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
[F10]
hK{IL
&rqw9
HHtYHHt
LookupPrivilegeValueW
[Backspace]
swiss
MessageBoxW
EnumSystemLocalesA
Event/System[EventID=1149]
GetActiveWindow
.rsrc
south-korea
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
=$=0=6=>=D=P=V=c=m=s=}=
{'F,*
_i#3.
^|lH\q
`virtual displacement map'
GetConsoleCP
english-trinidad y tobago
4:4J4^4j4
December
swedish-finland
0`0m0
v82u$C&
J)5<K2Ge
6E72Ja
Q1}/4V
5fnxLw
#Ol)I
string too long
Base Class Descriptor at (
>ee=u
RaiseException
\T<Po
%[e@U
Cache-Control: no-cache
j.h$E
X\(,]
v"6/s
UQPXY]Y[
6P6u8.:
gCj/J
SetLastError
:E'E7
Gpi3g
< <(<,<4<H<h<t<
CheckTokenMembership
:":>:D:S:m:w:
`eh vector vbase copy constructor iterator'
D-I0Q
cGf6d3
Win%d.%d.%d %s
InitializeCriticalSection
<Enter>
]$:?>
french-canadian
GetLastActivePopup
h qig
8(858@8K8Q8W8]8c8i8F9
Base Class Array'
5#5=5D5Y5`5q5x5
Nlf+Np
dv}0(
This indicates a bug in your application.
F*FVe
german-swiss
uASRS
X.x+n
0A2n2
[Del]
`vcall'
TLOSS error
ioi=e#
?$?0?4?8?<?@?D?H?
R6010
Nl#N4
u)jAXf;
No space left on device
~3()n
xMX!-
KERNEL32.dll
=.>6>t>h?~?
L$XRf
DOMAIN error
SunMonTueWedThuFriSat
SetFileAttributesW
.VBT`V
FLPjIS
KD/yU>
wyO 08
January
CreateWindowExW
v,3;v
%s: option '--%s' doesn't allow an argument
=/=Y=}=
nKERNEL32.DLL
GetConsoleMode
Global\{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273}
gRC"\
GetTimeFormatW
http://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s
2B2L2T2d2j2
J1B244<4
<5<N<j<
TZyHfi
SubscriptionCallback: Unknown action.
InterlockedIncrement
682tB:
gV,z4
&N9c[
NTDLL
Eo>@7
y)-@Ln
IsWow64Process
0L1g1
GetUserObjectInformationW
china
N<'pb
j_E`>=
L$Th@
^R_R)
aSg'M
GetCPInfo
;&<Y<c<i<J=|=
<^jvS
>'>@>
;+N?Rg
m]=PZ
EvtRender
KJVW(
biu9mM
PRhx,
spanish-venezuela
`local static thread guard'
B&b0yL
:,:<:b:
Y8JwV
`managed vector constructor iterator'
0"161L1c1
QueryPerformanceCounter
<iG1[w
H_K!sC"
TlsFree
lXB&z
v)~vN
No such device or address
Q<@WN
V0WSR
Invalid argument
QQSVWd
american english
1A26b
nosvc
b|])Vv@
Content-Type: text/html
`vector vbase constructor iterator'
#eipep
yNGGl
cY>l)
$+^pBG
chinese-singapore
incorrect header check
|$Dj8
[+>ge
04080P0`0d0h0l0t0
Software\Microsoft\Windows\CurrentVersion\Internet Settings
!=ZgI
V,^]3
C2ks=
3n5$6.6
^ZwZ{
6$QxB
chinese-traditional
>9>VpF
WritePrivateProfileStringW
SetEnvironmentVariableA
6,646<6D6L6T6`6
dE!jE
lstrlenA
buffer error
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
UZ7{p{
"A,\n
>G>Q>i>
181H1\1p1|1
RegQueryValueExW
Q&}Cr
FdPjOS
wI%2K
WPh0,
irish-english
belgian
PathFileExistsW
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>
4h5YE
g@/~Hg
.?AVerror_category@std@@
4)4:4G4R4Y4c4j4
invalid literal/length code
GetUserDefaultLCID
7E7n7x7
Invalid seek
xaV(J
L8<.c
kO=Rnv
Dl|D"
A@SlP2
Connection: Close
rd,eM,<|P
QPh`0
So 'Q[
>(>8><>L>P>T>\>t>
Y/2f)
Program:
:WndClassName
PVVRV
1 1%1-121:1?1F1U1Z1`1i1
FXPjLS
?P?U?
20190318
0[ Ms
.-aS]@
<.)ptJ
%02X%02X%02X%02X%02X%02X
GetComputerNameA
toiyeuvn.dongaruou.com
1.2.8
USER32.dll
7{F*,7
qas<#
55N]M%
BR;}2%
c|Q0
tce}+L9=
F:+Sf
TerminateProcess
Process32FirstW
3 383H3L3\3`3d3l3
t?VSP
SetStdHandle
cmmon32.exe
=4TH}3
8%9*9{9
>Y DO
WTSGetActiveConsoleSessionId
WdMo=
invalid distance too far back
SetTokenInformation
WinExec
[a{wY
I%:XKX
IPHLPAPI.DLL
GetSystemInfo
ProcessIdToSessionId
F6Ih!
great britain
stream end
spanish-argentina
GetLocaleInfoW
b+|,%
[PageDown]
french-luxembourg
qrAGL
VRPQh
1BPij[Z
C)-{c
4-<*C\K
K\F\\
S)w'=TX
7]7c7
>$>(>,>0>4>8><>@>
]Mj~j
uTVWh
InternetOpenW
3)3M3x4
iostream stream error
Arg list too long
\B#1_
8$8c8o8~8
<%<C<%=
- unexpected heap error
english-jamaica
4$4(484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
<T=p=v=
RegOpenCurrentUser
RpcStringFreeW
GetProcessHeap
ViD-s
2#2)232<2G2L2U2_2j2
OtXhWs
V|yBn
ios_base::eofbit set
9F se
0 0@0`0
~z<|wg
T$ Rh?
@.reloc
LocalAlloc
[Space]
Microsoft Visual C++ Runtime Library
2)272L2V2|2
@)mh>
- not enough space for arguments
\desktop.ini
QM?k{C
O<5.nQ
english-us
8(KKC
x)%<M
s.Wj
'dV;|
english-uk
L$t_^[3
__fastcall
`string'
ole32.dll
2]u2h[Zm
GetStartupInfoW
bmB=S
[wuwC
z\Cq%
84L\;
4E5X5h5+737=7M7Y7_7i7y7
HHtXHHt
bad cast
|TXX`
get_CurrentProfile failed: 0x%08lx
need dictionary
RegCloseKey
english-usa
CreateServiceW
vQO+t
GetSystemTimeAsFileTime
g?`X7
ExitThread
3T3Y3_3
spanish-bolivia
394?4Q4n4
hrqHr
%^'N8
A#a+Rih
MM/dd/yy
:0Bv\~
hE:%wfF
1nLZv
.?AV_Locimp@locale@std@@
|$ WSPV
- unable to initialize heap
9~4u(
`f\esm4Uw
FlushFileBuffers
ifu{w
R6031
mj>zjZ
CreateThread
w<+wt
GetAdaptersInfo
xl>J$Qk
Core Networking - IPv4 (IPv4-In)
dutch-belgian
*#\&w
9Ghs%
GetDateFormatW
EvtSubscribe failed with %lu.
IconResourcePort
?%?*?3?9?>?G?M?R?[?`?e?j?s?{?
^{m#wS
7<7H7h7t7
w_$mc8-
t"SS9] u
`scalar deleting destructor'
B(^uH
1wsHp
?4?L?V?e?
4Z=bz
uu4A}
Y_;q+
=/gQGR_
GetModuleFileNameA
^SSSSS
Pj)Sj
March
lstrlenW
y|$1nk
WWWWW
south korea
Bad address
WaitForMultipleObjects
@C2%`
%s: option '-W %s' is ambiguous
inflate 1.2.8 Copyright 1995-2013 Mark Adler
DuplicateToken
GetACP
3!K1p
german-austrian
qSx<W
%s: option '%c%s' doesn't allow an argument
j]jl3
J'UW4R
38K=V
t%HHt
ADVAPI32.dll
6o7w7
SHELL32.dll
OSWqy
: :(:0:8:@:H:P:X:`:h:p:x:
R6027
`local vftable constructor closure'
english-nz
CONOUT$
OpenMutexW
GetMessageW
</requestedPrivileges>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
3+3M3|3
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
tCHt(Ht
FDPjGS
ReadFile
WindowsFirewallAppIsEnabled failed: 0x%08lx
DispatchMessageW
HTTP/1.1 200 OK
referer=
Xu"x)
WTSAPI32.dll
W}R9b
WinSta0\Default
CreateEnvironmentBlock
GlobalMemoryStatusEx
MF9YX
C PjPV
16YC'
=%=*=/=4=D=s=y=
c8_'
.rb40
0`1d1
msgsm64.acm
^da<mn
.(9^/
PdZSU
Wj@hP
2D3J3X3b3l3w3}3
556v6
DuplicateTokenEx
GetCurrentProcessId
-X,sF
.?AVcodecvt_base@std@@
=(=4=P=p=
vvi?P
`eh vector constructor iterator'
=Z;j~
QW@Ph
FreeLibrary
P+!3l(
0G0P0\0
<4>J>
bad allocation
0(3+nG/
tNHt%
EF,+Z*
)g%Fd%
invalid stored block lengths
^cmv6
<1^OW
data error
%Qu6v7
Monday
6K6R6e6l6v6
k%"A1
incorrect data check
KSb\KS
7mu:*0R
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
93Y,4
Tf^tK
1Bn`8
ActiveX Update
~,WPV
WQh$/
7'838F8X8s8{8
\desktopWOW64.ini
h4btB*e
On0ykRZ
+G{@P
4G5M5`5
HH:mm:ss
<"=T=|=
('8PW
lstrcpyA
JanFebMarAprMayJunJulAugSepOctNovDec
[Insert]
chinese-hongkong
T$"Rf
LC_CTYPE
6`7`!@
#OVy%
SetEndOfFile
- not enough space for lowio initialization
POSIXLY_CORRECT
&8|gq
j2hTB
4=4D4[4x4
tx~?j
GetLocalTime
/vEU
ChangeServiceConfig2W
UNICODE
^MnO>
]V2[\?
Authorized application %lS is enabled in the firewall.
_getopt_a@12
JbN\<
OLEAUT32.dll
u&WVS
r]X<]=
6 6$6(6,6064686H6L6`6d6h6
UTB)/
CoInitializeEx
_getopt_long_a@20
<&=4=W=^=d=q=
:3:V:
R6030
GetNativeSystemInfo
5"5+515a5p7x7
.t|PVj@
3(>4>@>L>X>d>p>|>
R6033
((b8WI
SVWUj
?+f{$
0#0(0,000Y0
GetSystemDirectoryW
.?AV?$ctype@D@std@@
HttpQueryInfoA
FlsSetValue
get_AuthorizedApplications failed: 0x%08lx
/hPj<
6Cj>M
LeaveCriticalSection
britain
U]Ofm7
Cs->%
jjjjj
Y/L '?
February
`7]=G
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
v}{f[Fi{F
Q%dm1
FYY;u
?(?/?4?8?<?]?
20393?3D3\3v3
[End]
[Enter]
SetErrorMode
Wednesday
;]xs_r+
.?AVruntime_error@std@@
7lUJL
IsValidCodePage
WaitForSingleObject
IJB/m
Fast decoding Code from Chris Anderson
+D$(;
xsfRO
Thursday
September
FHPjHS
[~_=d
roF l
w_hZ=_
_a->D
.?AV_System_error_category@std@@
8'8/8?8E8V8
<%<f<
:;];!
__pascal
6[ZYw
F,Pj-S
\ws^o
spanish-nicaragua
CoUninitialize
:*P|Rs
;4;Q;
WUSER32.DLL
:-8[:]
PijU19hgT
1-1:1?1M1(2
The query "%s" is not valid.
_<<K*D
1}0.}'W^g
*N4Nj*
OpenProcessToken
G\.@6
OZw3(?
`vbtable'
- Attempt to initialize the CRT more than once.
4(4,4044484@4X4h4l4|4
Fwr:b
%s: option '%s' is ambiguous; possibilities:
8)8L8
M9=$t
FpPj:S
<6O/v/
No such process
`copy constructor closure'
r] `=
WQhL,
2,2h2
>8?d?y?
<3<R<
.?AVCAtlException@ATL@@
2Q2i2
CYLHq#g
2008R2
4C5@6
&v%OVA
]5->@WM2
;+Y;g
.?AVtype_info@@
mR/@c
Illegal byte sequence
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
[TAB]
T$`RP
wsc.dll
C{rHh
UumTM
VG\K}Q
wkPSQR
434D4Q4X4h4z4
RpcBindingFromStringBindingA
SQuK<
F,^]3
Win%s Sp%d %s
R6018
D$8+F
LC_COLLATE
R6025
AO-q4
CreateWellKnownSid
1 1@1
PPPh`I
uvh 5
8sPv^
+SXN[
=3Zo]
WGqrI0
english-south africa
RpcStringBindingComposeW
put_Name failed: 0x%08lx
FlPj9S
`placement delete[] closure'
s^{IG
(|>U>
GetModuleFileNameW
TlsSetValue
</trustInfo>
{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB}
H#5`t[
optopt
GetCommandLineW
)G^`M
COM+ Support Service
__unaligned
PPPPP
GetStringTypeW
"meI[N~n
/1q`L<aN
<Backspace>
CloseHandle
0$060H0Z0l0~0
J'T?v/
[Print Screen]
USERENV.dll
WTSQueryUserToken
Y_)*#K
FindResourceW
:4)o;
ZJY2/
>$?G?Q?
Rc8-(
5 6?6^6
Af9q.
/AjV'<i
!p;"6
Input/output error
Inappropriate I/O control operation
]M`|_M
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
3 3(343T3\3h3
l6qnk
__based(
< tK<
SeDebugPrivilege
new-zealand
gU<CJn
}8Dp]
Too many links
R~??@Z$
&AZQ+6G
wrbg?
GetThreadContext
O.[/s"wP
tAVWP
>*?<?
LocalFree
@e3@e)
O92vI
O@;H s
LC_NUMERIC
Dn#]&
X_U*
`dynamic atexit destructor for '
a+-C}
QU3t;P
PKCRi7
QQSV3
[#p^f
5B5V5j5
C-PjWV
>%>?>K>h>
2G2]2t2
ProxyEnable
KA!H;
9|$`r
=<S;D
%>--v
@PSVV
Broken pipe
pr china
t$j4j
OpenProcess
;Q;g;
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
invalid code -- missing end-of-block
-GGhB
F Pj*S
0l1r1
[Scroll Lock]
%!DVDN
5R@FV
737_7l7
too many length or distance symbols
#;6Y;
Ap{Fx
tl9_ tg9_$tb
norwegian-bokmal
RegisterClassExW
]5+lj
4(454@4K4Q4W4]4c4i4
file error
5 6J6}6
5"5,5`5k5u5
`managed vector copy constructor iterator'
3/3I3
- not enough space for _onexit/atexit table
InternetSetOptionW
K#~0 }
4.4}4
invalid window size
.?AVbad_cast@std@@
9%:?:H:o:|:
PQP7X
TranslateMessage
N,_^]3
CompareStringW
?H>(=
=o<~Q
= =$=,=D=T=X=h=l=p=t=|=
1O0<O
No child processes
italian-swiss
french-swiss
? ?$?,?D?T?X?h?l?p?x?
HjdSh
;-]sI
QSWVj
Ea=2yQ|
'n):2
PRhh+
R6017
=*=3=8=B=L=X=]=
5w",
spanish-paraguay
i]=Avd
$[^_]
4ordJ
^Gupl
J/jx>
spanish-chile
WAsN.
czech
cTt-A;
trinidad & tobago
|~M/<Vy
L$ H#
h:l:p:t:x:|:
F ;F$t
QQQQV
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
qwJBg
P^HVn
~@yqu`H
WideCharToMultiByte
3l4t4
ReleaseMutex
OPqjg
http://%s:%d/
/dy_M
HeapSize
WSAIoctl
0g1w1
LC_TIME
9|$(t
t!WVj
VirtualAllocEx
RJ/RJ
BnKeN
O.kB!
tEHt0
5v8z8~8
N5"a}
>L>T>b>r>x>
_,`'>
IsProcessorFeaturePresent
R6009
0"010?0I0O0e0j0r0x0
F0WSP
`managed vector destructor iterator'
$3Ljq\
9F9M9b9
t-u"=%N(
IconResourceNoSvc
,jWRM
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
K39X@%
united-kingdom
`VTH/2:
L$ Qh
9$9,949<9D9L9T9\9d9l9t9|9
CreateEventW
VVVVj
_getopt_w@12
GetEnvironmentStringsW
$\"|Fr
% *;WD
`vftable'
5 5(50585<5@5H5\5d5l5t5x5|5
wevtapi.dll
f6B@E
P>OTq
puerto-rico
9c:h:q:
9 9(90989@9H9P9X9`9h9p9x9
GF?.x
: :<:@:`:
:IW`(L]
mZKk~O.I
}}l;Fuf
mF3$d
6]O7*U
9|$|r
`.rdata
3=4W4
ResumeThread
qX1g2c:
GD)op)ol
GetKeyState
q:Pl?!
D$8SVW
OutputDebugStringW
VVVVVQRSSj
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | Compile Time | Import Hash | Exported DLL Name |
|---|---|---|---|---|---|---|---|
| 0x10000000 | 0x00012bf2 | 0x00067f0d | 0x0013206b | 5.1 | 2019-03-06 10:20:32 | 37e48d0816c7485d18b7cc3e0d8ed0a0 | XBoxDllShellCode.dll |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0002a106 | 0x0002a200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.67 |
| .rdata | 0x0002a600 | 0x0002c000 | 0x0000c99e | 0x0000ca00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.80 |
| .data | 0x00037000 | 0x00039000 | 0x0002d8ac | 0x00029200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.94 |
| .rsrc | 0x00060200 | 0x00067000 | 0x000001b4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.12 |
| .reloc | 0x00060400 | 0x00068000 | 0x0000311e | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.35 |
Overlay
| Offset | 0x00063600 |
| Size | 0x000caa00 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x00067058 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.80 | None |
Imports
| Name | Address |
|---|---|
| GetAsyncKeyState | 0x1002c2e0 |
| GetForegroundWindow | 0x1002c2e4 |
| GetKeyState | 0x1002c2e8 |
| GetWindowTextW | 0x1002c2ec |
| GetMessageW | 0x1002c2f0 |
| TranslateMessage | 0x1002c2f4 |
| RegisterClassExW | 0x1002c2f8 |
| CreateWindowExW | 0x1002c2fc |
| DefWindowProcW | 0x1002c300 |
| DispatchMessageW | 0x1002c304 |
| UnregisterClassW | 0x1002c308 |
| Name | Address |
|---|---|
| ImpersonateLoggedOnUser | 0x1002c000 |
| StartServiceW | 0x1002c004 |
| ChangeServiceConfig2W | 0x1002c008 |
| RegCreateKeyW | 0x1002c00c |
| OpenServiceW | 0x1002c010 |
| OpenSCManagerW | 0x1002c014 |
| CloseServiceHandle | 0x1002c018 |
| CreateServiceW | 0x1002c01c |
| CreateWellKnownSid | 0x1002c020 |
| CheckTokenMembership | 0x1002c024 |
| GetUserNameA | 0x1002c028 |
| RegOpenCurrentUser | 0x1002c02c |
| OpenProcessToken | 0x1002c030 |
| DuplicateToken | 0x1002c034 |
| GetTokenInformation | 0x1002c038 |
| RegOverridePredefKey | 0x1002c03c |
| OpenThreadToken | 0x1002c040 |
| GetUserNameW | 0x1002c044 |
| RegSetValueExW | 0x1002c048 |
| RegCloseKey | 0x1002c04c |
| AdjustTokenPrivileges | 0x1002c050 |
| RegOpenKeyExW | 0x1002c054 |
| DuplicateTokenEx | 0x1002c058 |
| RegOpenKeyExA | 0x1002c05c |
| LookupPrivilegeValueW | 0x1002c060 |
| SetTokenInformation | 0x1002c064 |
| CreateProcessAsUserW | 0x1002c068 |
| RegQueryValueExW | 0x1002c06c |
| Name | Address |
|---|---|
| SHGetSpecialFolderPathW | 0x1002c2d0 |
| Name | Address |
|---|---|
| CoInitializeEx | 0x1002c39c |
| CoUninitialize | 0x1002c3a0 |
| CoCreateInstance | 0x1002c3a4 |
| Name | Address |
|---|---|
| SysStringLen | 0x1002c2a0 |
| SysAllocString | 0x1002c2a4 |
| SysFreeString | 0x1002c2a8 |
| Name | Address |
|---|---|
| PathFileExistsW | 0x1002c2d8 |
| Name | Address |
|---|---|
| HttpQueryInfoA | 0x1002c324 |
| InternetOpenUrlA | 0x1002c328 |
| InternetSetOptionW | 0x1002c32c |
| HttpQueryInfoW | 0x1002c330 |
| InternetCloseHandle | 0x1002c334 |
| InternetOpenW | 0x1002c338 |
| Name | Address |
|---|---|
| WTSQueryUserToken | 0x1002c394 |
| Name | Address |
|---|---|
| CreateEnvironmentBlock | 0x1002c310 |
| DestroyEnvironmentBlock | 0x1002c314 |
| LoadUserProfileW | 0x1002c318 |
| UnloadUserProfile | 0x1002c31c |
| Name | Address |
|---|---|
| EvtSubscribe | 0x1002c3ac |
| EvtRender | 0x1002c3b0 |
| Name | Address |
|---|---|
| connect | 0x1002c340 |
| accept | 0x1002c344 |
| getpeername | 0x1002c348 |
| gethostname | 0x1002c34c |
| socket | 0x1002c350 |
| inet_ntoa | 0x1002c354 |
| listen | 0x1002c358 |
| send | 0x1002c35c |
| gethostbyname | 0x1002c360 |
| closesocket | 0x1002c364 |
| __WSAFDIsSet | 0x1002c368 |
| WSAStartup | 0x1002c36c |
| inet_addr | 0x1002c370 |
| select | 0x1002c374 |
| htons | 0x1002c378 |
| bind | 0x1002c37c |
| recv | 0x1002c380 |
| WSACleanup | 0x1002c384 |
| setsockopt | 0x1002c388 |
| WSAIoctl | 0x1002c38c |
| Name | Address |
|---|---|
| GetAdaptersInfo | 0x1002c074 |
| Name | Address |
|---|---|
| RpcBindingFree | 0x1002c2b0 |
| RpcStringBindingComposeW | 0x1002c2b4 |
| RpcBindingFromStringBindingW | 0x1002c2b8 |
| RpcStringFreeA | 0x1002c2bc |
| RpcStringBindingComposeA | 0x1002c2c0 |
| RpcStringFreeW | 0x1002c2c4 |
| RpcBindingFromStringBindingA | 0x1002c2c8 |
Exports
| Name | Address | Ordinal |
|---|---|---|
| _getopt_a@12 | 0x10002740 | 1 |
| _getopt_long_a@20 | 0x100027a0 | 2 |
| _getopt_long_only_a@20 | 0x10002810 | 3 |
| _getopt_long_only_w@20 | 0x10003410 | 4 |
| _getopt_long_w@20 | 0x100033a0 | 5 |
| _getopt_w@12 | 0x10003340 | 6 |
| optarg_a | 0x100668a8 | 7 |
| optarg_w | 0x100668a4 | 8 |
| opterr | 0x1006190c | 9 |
| optind | 0x1006178c | 10 |
| optopt | 0x10061aac | 11 |
| Discovery | Command and Control | Defense Evasion | Privilege Escalation |
|
|
|
|---|
Usage
Processing ( 2.27 seconds )
- 1.194 CAPE
- 0.885 Heatmap
- 0.16 BehaviorAnalysis
- 0.019 NetworkAnalysis
- 0.011 AnalysisInfo
- 0.001 Debug
Signatures ( 0.04 seconds )
- 0.008 antiav_detectreg
- 0.003 infostealer_ftp
- 0.003 ransomware_files
- 0.003 territorial_disputes_sigs
- 0.002 antianalysis_detectfile
- 0.002 antianalysis_detectreg
- 0.002 infostealer_im
- 0.002 ransomware_extensions
- 0.001 network_dyndns
- 0.001 antiav_detectfile
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 antivm_vmware_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 infostealer_bitcoin
- 0.001 infostealer_mail
- 0.001 poullight_files
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 ursnif_behavior
Reporting ( 2.83 seconds )
- 2.757 MITRE_TTPS
- 0.046 ReportHTML
- 0.011 LiteReport
- 0.011 JsonDump
Signatures
Checks available memory
Queries the keyboard layout
A file was accessed within the Public folder.
file: C:\Users\Public\Documents\desktop.ini
SetUnhandledExceptionFilter detected (possible anti-debug)
At least one process apparently crashed during execution
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 2392
Dynamic (imported) function loading detected
DynamicLoader: red_core.exe.dll/
DynamicLoader: uxtheme.dll/ThemeInitApiHook
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: kernel32.dll/GlobalFlags
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GlobalAddAtomW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GlobalDeleteAtom
DynamicLoader: kernel32.dll/GlobalFindAtomW
DynamicLoader: kernel32.dll/CompareStringA
DynamicLoader: kernel32.dll/GetDriveTypeA
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/GetConsoleOutputCP
DynamicLoader: kernel32.dll/WriteConsoleA
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStrings
DynamicLoader: kernel32.dll/FreeEnvironmentStringsA
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetDateFormatA
DynamicLoader: kernel32.dll/GetTimeFormatA
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/LocalReAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/GlobalHandle
DynamicLoader: kernel32.dll/GlobalReAlloc
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/GetFileSizeEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/UnlockFile
DynamicLoader: kernel32.dll/LockFile
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/FormatMessageW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetPrivateProfileStringW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW
DynamicLoader: kernel32.dll/SetCurrentDirectoryW
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/MoveFileW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/CreatePipe
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WinExec
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/WTSGetActiveConsoleSessionId
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/WritePrivateProfileStringW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SetThreadContext
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: USER32.dll/SetMenu
DynamicLoader: USER32.dll/SetForegroundWindow
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/GetClassInfoExW
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: USER32.dll/CopyRect
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetMenu
DynamicLoader: USER32.dll/ExitWindowsEx
DynamicLoader: USER32.dll/mouse_event
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/SetCursorPos
DynamicLoader: USER32.dll/SystemParametersInfoA
DynamicLoader: USER32.dll/IsIconic
DynamicLoader: USER32.dll/GetWindowPlacement
DynamicLoader: USER32.dll/GrayStringW
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: USER32.dll/DrawTextW
DynamicLoader: USER32.dll/TabbedTextOutW
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/CallNextHookEx
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetKeyState
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/ValidateRect
DynamicLoader: USER32.dll/LoadIconW
DynamicLoader: USER32.dll/MapWindowPoints
DynamicLoader: USER32.dll/GetMessagePos
DynamicLoader: USER32.dll/GetMessageTime
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/GetTopWindow
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/GetSubMenu
DynamicLoader: USER32.dll/WinHelpW
DynamicLoader: USER32.dll/GetMenuItemID
DynamicLoader: USER32.dll/GetMenuState
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/MessageBoxW
DynamicLoader: USER32.dll/EnableWindow
DynamicLoader: USER32.dll/IsWindowEnabled
DynamicLoader: USER32.dll/GetLastActivePopup
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/GetParent
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/CheckMenuItem
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/ModifyMenuW
DynamicLoader: USER32.dll/LoadBitmapW
DynamicLoader: USER32.dll/GetMenuCheckMarkDimensions
DynamicLoader: USER32.dll/SetMenuItemBitmaps
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: USER32.dll/DestroyMenu
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/RemovePropW
DynamicLoader: USER32.dll/GetPropW
DynamicLoader: USER32.dll/SetPropW
DynamicLoader: USER32.dll/GetClassLongW
DynamicLoader: USER32.dll/GetCapture
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/UnhookWindowsHookEx
DynamicLoader: USER32.dll/GetSysColorBrush
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/LoadCursorW
DynamicLoader: USER32.dll/SetWindowTextW
DynamicLoader: USER32.dll/PtInRect
DynamicLoader: USER32.dll/GetClassNameW
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetDlgCtrlID
DynamicLoader: USER32.dll/GetWindow
DynamicLoader: USER32.dll/ClientToScreen
DynamicLoader: USER32.dll/GetFocus
DynamicLoader: USER32.dll/GetDlgItem
DynamicLoader: USER32.dll/GetMenuItemCount
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: GDI32.dll/PtVisible
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: Winsta.dll/WinStationFreeMemory
DynamicLoader: Winsta.dll/WinStationCloseServer
DynamicLoader: Winsta.dll/WinStationOpenServerW
DynamicLoader: Winsta.dll/WinStationFreeGAPMemory
DynamicLoader: Winsta.dll/WinStationGetAllProcesses
DynamicLoader: Winsta.dll/WinStationEnumerateProcesses
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: uxtheme.dll/ThemeInitApiHook
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoImpersonateClient
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoRevertToSelf
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetTokenInformation
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CopySid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EqualSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthorityCount
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthority
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventRegister
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventUnregister
DynamicLoader: Secur32.dll/GetUserNameExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCloseKey
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertSidToStringSidW
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueA
DynamicLoader: iertutil.dll/
DynamicLoader: iertutil.dll/
DynamicLoader: iertutil.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExA
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemAlloc
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: winhttp.dll/WinHttpCreateProxyResolver
DynamicLoader: iertutil.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegSetValueExW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: uxtheme.dll/ThemeInitApiHook
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wininet.dll/DllGetClassObject
DynamicLoader: wininet.dll/DllCanUnloadNow
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoImpersonateClient
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoRevertToSelf
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetTokenInformation
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/CopySid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EqualSid
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthorityCount
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/GetSidSubAuthority
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventRegister
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventUnregister
DynamicLoader: Secur32.dll/GetUserNameExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExA
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCloseKey
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertSidToStringSidW
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegGetValueA
DynamicLoader: iertutil.dll/
DynamicLoader: iertutil.dll/
DynamicLoader: iertutil.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegOpenKeyExA
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoTaskMemAlloc
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: winhttp.dll/WinHttpCreateProxyResolver
DynamicLoader: iertutil.dll/
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegQueryValueExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegCreateKeyExW
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegSetValueExW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: OLEAUT32.dll/
Resumed a thread in another process
thread_resumed: Process rundll32.exe with process ID 2392 resumed a thread in another process with the process ID 2392
thread_resumed: Process taskkill.exe with process ID 1856 resumed a thread in another process with the process ID 1856
thread_resumed: Process wmiprvse.exe with process ID 812 resumed a thread in another process with the process ID 812
thread_resumed: Process dllhost.exe with process ID 932 resumed a thread in another process with the process ID 932
thread_resumed: Process dllhost.exe with process ID 2160 resumed a thread in another process with the process ID 2160
Attempts to make a network connection via suspicious process
The binary likely contains encrypted or compressed data
section: {'name': '.data', 'raw_address': '0x00037000', 'virtual_address': '0x00039000', 'virtual_size': '0x0002d8ac', 'size_of_data': '0x00029200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.94'}
Checks for presence of debugger via IsDebuggerPresent
Starts servers listening on 0.0.0.0:49563
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
anomaly: Actual checksum does not match that reported in PE header
Modifies Windows System files (System32 / SysWOW64)
ModifiedFile: C:\Windows\System32\wbem\repository\MAPPING3.MAP
ModifiedFile: C:\Windows\System32\wbem\repository\WRITABLE.TST
ModifiedFile: C:\Windows\System32\wbem\repository\MAPPING1.MAP
ModifiedFile: C:\Windows\System32\wbem\repository\MAPPING2.MAP
ModifiedFile: C:\Windows\System32\wbem\repository\OBJECTS.DATA
ModifiedFile: C:\Windows\System32\wbem\repository\INDEX.BTR
Sniffs keystrokes
GetAsyncKeyState: Process: rundll32.exe(2392)
Uses suspicious command line tools or Windows utilities
command: TASKKILL /F /IM rundll32.exe
Screenshots
Session Playback
No playback available.
Hosts
No hosts contacted.
Summary
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.124.Manifest
C:\Windows\SysWOW64\msgsm64.acm
C:\Users\Public\Documents\desktop.ini
\Device\KsecDD
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Temp
C:\Users\user\AppData\Local\Temp
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Windows\System32\rpcss.dll
C:\Windows\Branding\Basebrd\basebrd.dll
C:
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
\??\Nsi
C:\Users\user\AppData\Local\Temp\red_core.exe.dll
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\red_core.exe.dll.124.Manifest
C:\Windows\SysWOW64\msgsm64.acm
C:\Users\Public\Documents\desktop.ini
\Device\KsecDD
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Temp
C:\Users\user\AppData\Local\Temp
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Windows\System32\rpcss.dll
C:\Windows\Branding\Basebrd\basebrd.dll
C:
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
\??\Nsi
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\TASKKILL.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\ConfigFlags
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_CLASSES\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_CLASSES\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1381398318-3211537236-2227685884-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1381398318-3211537236-2227685884-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Environment
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Volatile Environment
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Volatile Environment\0
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\TASKKILL.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39b8af29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\ConfigFlags
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_CLASSES\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_CLASSES\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1381398318-3211537236-2227685884-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1381398318-3211537236-2227685884-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Environment
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Volatile Environment
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Volatile Environment\0
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000_Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TreatAs
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\System\Setup
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1381398318-3211537236-2227685884-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&39B8AF29&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&39B8AF29&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1381398318-3211537236-2227685884-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1381398318-3211537236-2227685884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{02A101D1-60F1-43ED-A149-96E77B861279}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{53200D82-812C-4C42-A5E0-74CB803F176A}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{603BE053-620B-4345-A123-3BA8128C5CDC}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{C78C9EA0-13FF-4648-B20C-28E21D5ED90B}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F9717507-6651-4EDB-BFF7-AE615179BCCF}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B06B0CE5-689B-4AFD-B326-0A08A1A647AF}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\DllHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreConnectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PreResolveLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SqmHttpStreamRandomUploadPoolSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableLegacyAutoProxyFeatures
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseFirstAvailable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CombineFalseStartData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableFalseStartBlocklist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnforceP3PValidity
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DuoProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSpdyDebugAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
red_core.exe.dll.#1
uxtheme.dll.ThemeInitApiHook
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
kernel32.dll.GlobalFlags
kernel32.dll.GetCurrentThreadId
kernel32.dll.GlobalAddAtomW
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersionExA
kernel32.dll.LoadLibraryA
kernel32.dll.GlobalDeleteAtom
kernel32.dll.GlobalFindAtomW
kernel32.dll.CompareStringA
kernel32.dll.GetDriveTypeA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.WriteConsoleW
kernel32.dll.GetConsoleOutputCP
kernel32.dll.WriteConsoleA
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.LCMapStringA
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetTickCount
kernel32.dll.lstrcmpW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetDateFormatA
kernel32.dll.GetTimeFormatA
kernel32.dll.LCMapStringW
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.GetTimeZoneInformation
kernel32.dll.IsValidCodePage
kernel32.dll.GetOEMCP
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetModuleFileNameA
kernel32.dll.VirtualFree
kernel32.dll.HeapDestroy
kernel32.dll.HeapCreate
kernel32.dll.ExitProcess
kernel32.dll.HeapSize
kernel32.dll.RaiseException
kernel32.dll.RtlUnwind
kernel32.dll.HeapReAlloc
kernel32.dll.GetCommandLineA
kernel32.dll.GetStartupInfoA
kernel32.dll.GetFileType
kernel32.dll.SetHandleCount
kernel32.dll.CreateThread
kernel32.dll.ExitThread
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.InterlockedIncrement
kernel32.dll.CompareStringW
kernel32.dll.FreeLibrary
kernel32.dll.InterlockedDecrement
kernel32.dll.GetModuleHandleW
kernel32.dll.TlsFree
kernel32.dll.DeleteCriticalSection
kernel32.dll.LocalReAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsAlloc
kernel32.dll.InitializeCriticalSection
kernel32.dll.GlobalHandle
kernel32.dll.GlobalReAlloc
kernel32.dll.EnterCriticalSection
kernel32.dll.TlsGetValue
kernel32.dll.LeaveCriticalSection
kernel32.dll.LocalAlloc
kernel32.dll.GetCurrentProcessId
kernel32.dll.lstrcmpA
kernel32.dll.GetFileTime
kernel32.dll.GetFileSizeEx
kernel32.dll.GetFileAttributesW
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetEndOfFile
kernel32.dll.UnlockFile
kernel32.dll.LockFile
kernel32.dll.FlushFileBuffers
kernel32.dll.SetFilePointer
kernel32.dll.LoadLibraryW
kernel32.dll.FindFirstFileW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FindNextFileW
kernel32.dll.FindClose
kernel32.dll.GlobalFree
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.FormatMessageW
kernel32.dll.LocalFree
kernel32.dll.SetLastError
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetLastError
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
kernel32.dll.GetProcessHeap
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetComputerNameA
kernel32.dll.GetPrivateProfileStringW
kernel32.dll.GetVolumeInformationW
kernel32.dll.DeleteFileW
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.LockResource
kernel32.dll.MoveFileW
kernel32.dll.GetTempPathW
kernel32.dll.lstrlenW
kernel32.dll.SizeofResource
kernel32.dll.CreateDirectoryW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.SetErrorMode
kernel32.dll.GetDriveTypeW
kernel32.dll.Sleep
kernel32.dll.lstrcpyA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.ResetEvent
kernel32.dll.DuplicateHandle
kernel32.dll.CreatePipe
kernel32.dll.CreateEventW
kernel32.dll.SetStdHandle
kernel32.dll.GetStdHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.CreateProcessW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.lstrcpyW
kernel32.dll.ResumeThread
kernel32.dll.WriteProcessMemory
kernel32.dll.CloseHandle
kernel32.dll.WinExec
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.WTSGetActiveConsoleSessionId
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualAlloc
kernel32.dll.WritePrivateProfileStringW
kernel32.dll.CreateFileW
kernel32.dll.ReadFile
kernel32.dll.TerminateProcess
kernel32.dll.GetSystemDirectoryW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.OpenProcess
kernel32.dll.WriteFile
kernel32.dll.GetCurrentThread
kernel32.dll.SetEvent
kernel32.dll.WaitForSingleObject
kernel32.dll.SetThreadContext
kernel32.dll.GetFileSize
kernel32.dll.CreateFileA
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetThreadContext
user32.dll.SetMenu
user32.dll.SetForegroundWindow
user32.dll.GetClientRect
user32.dll.PostMessageW
user32.dll.CreateWindowExW
user32.dll.GetClassInfoExW
user32.dll.GetClassInfoW
user32.dll.RegisterClassW
user32.dll.AdjustWindowRectEx
user32.dll.CopyRect
user32.dll.DefWindowProcW
user32.dll.CallWindowProcW
user32.dll.GetMenu
user32.dll.ExitWindowsEx
user32.dll.mouse_event
user32.dll.ReleaseDC
user32.dll.SetCursorPos
user32.dll.SystemParametersInfoA
user32.dll.IsIconic
user32.dll.GetWindowPlacement
user32.dll.GrayStringW
user32.dll.DrawTextExW
user32.dll.DrawTextW
user32.dll.TabbedTextOutW
user32.dll.SetWindowsHookExW
user32.dll.CallNextHookEx
user32.dll.DispatchMessageW
user32.dll.GetKeyState
user32.dll.PeekMessageW
user32.dll.ValidateRect
user32.dll.LoadIconW
user32.dll.MapWindowPoints
user32.dll.GetMessagePos
user32.dll.GetMessageTime
user32.dll.DestroyWindow
user32.dll.GetTopWindow
user32.dll.GetDC
user32.dll.keybd_event
user32.dll.GetSubMenu
user32.dll.WinHelpW
user32.dll.GetMenuItemID
user32.dll.GetMenuState
user32.dll.GetSystemMetrics
user32.dll.CharUpperW
user32.dll.GetWindowTextW
user32.dll.MessageBoxW
user32.dll.EnableWindow
user32.dll.IsWindowEnabled
user32.dll.GetLastActivePopup
user32.dll.GetWindowLongW
user32.dll.GetParent
user32.dll.RegisterWindowMessageW
user32.dll.CheckMenuItem
user32.dll.EnableMenuItem
user32.dll.ModifyMenuW
user32.dll.LoadBitmapW
user32.dll.GetMenuCheckMarkDimensions
user32.dll.SetMenuItemBitmaps
user32.dll.PostQuitMessage
user32.dll.DestroyMenu
user32.dll.GetForegroundWindow
user32.dll.RemovePropW
user32.dll.GetPropW
user32.dll.SetPropW
user32.dll.GetClassLongW
user32.dll.GetCapture
user32.dll.SendMessageW
user32.dll.GetWindowThreadProcessId
user32.dll.UnhookWindowsHookEx
user32.dll.GetSysColorBrush
user32.dll.GetSysColor
user32.dll.LoadCursorW
user32.dll.SetWindowTextW
user32.dll.PtInRect
user32.dll.GetClassNameW
user32.dll.GetWindowRect
user32.dll.GetDlgCtrlID
user32.dll.GetWindow
user32.dll.ClientToScreen
user32.dll.GetFocus
user32.dll.GetDlgItem
user32.dll.GetMenuItemCount
user32.dll.IsWindow
user32.dll.SetWindowLongW
user32.dll.SetWindowPos
gdi32.dll.PtVisible
cryptbase.dll.SystemFunction036
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
winsta.dll.WinStationFreeMemory
winsta.dll.WinStationCloseServer
winsta.dll.WinStationOpenServerW
winsta.dll.WinStationFreeGAPMemory
winsta.dll.WinStationGetAllProcesses
winsta.dll.WinStationEnumerateProcesses
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
kernel32.dll.RegOpenKeyExW
ntdll.dll.EtwUnregisterTraceGuids
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
oleaut32.dll.#4
oleaut32.dll.#7
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
cryptsp.dll.CryptGenRandom
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
advapi32.dll.RegOpenKeyW
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
ole32.dll.CoRevertToSelf
sspicli.dll.LogonUserExExW
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoSwitchCallContext
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
wininet.dll.DllGetClassObject
wininet.dll.DllCanUnloadNow
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
api-ms-win-downlevel-ole32-l1-1-0.dll.CoImpersonateClient
api-ms-win-downlevel-ole32-l1-1-0.dll.CoRevertToSelf
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetTokenInformation
api-ms-win-downlevel-advapi32-l1-1-0.dll.CopySid
api-ms-win-downlevel-advapi32-l1-1-0.dll.EqualSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthorityCount
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthority
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventRegister
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventUnregister
secur32.dll.GetUserNameExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCloseKey
shell32.dll.SHGetKnownFolderPath
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertSidToStringSidW
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueA
iertutil.dll.#701
iertutil.dll.#703
iertutil.dll.#702
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExA
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemAlloc
ws2_32.dll.#115
ws2_32.dll.#111
iertutil.dll.#791
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegSetValueExW
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
red_core.exe.dll.#1
uxtheme.dll.ThemeInitApiHook
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetBestInterfaceEx
iphlpapi.dll.GetIfEntry2
kernel32.dll.GlobalFlags
kernel32.dll.GetCurrentThreadId
kernel32.dll.GlobalAddAtomW
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersionExA
kernel32.dll.LoadLibraryA
kernel32.dll.GlobalDeleteAtom
kernel32.dll.GlobalFindAtomW
kernel32.dll.CompareStringA
kernel32.dll.GetDriveTypeA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.WriteConsoleW
kernel32.dll.GetConsoleOutputCP
kernel32.dll.WriteConsoleA
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.LCMapStringA
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetTickCount
kernel32.dll.lstrcmpW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetDateFormatA
kernel32.dll.GetTimeFormatA
kernel32.dll.LCMapStringW
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.GetTimeZoneInformation
kernel32.dll.IsValidCodePage
kernel32.dll.GetOEMCP
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetModuleFileNameA
kernel32.dll.VirtualFree
kernel32.dll.HeapDestroy
kernel32.dll.HeapCreate
kernel32.dll.ExitProcess
kernel32.dll.HeapSize
kernel32.dll.RaiseException
kernel32.dll.RtlUnwind
kernel32.dll.HeapReAlloc
kernel32.dll.GetCommandLineA
kernel32.dll.GetStartupInfoA
kernel32.dll.GetFileType
kernel32.dll.SetHandleCount
kernel32.dll.CreateThread
kernel32.dll.ExitThread
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.InterlockedIncrement
kernel32.dll.CompareStringW
kernel32.dll.FreeLibrary
kernel32.dll.InterlockedDecrement
kernel32.dll.GetModuleHandleW
kernel32.dll.TlsFree
kernel32.dll.DeleteCriticalSection
kernel32.dll.LocalReAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsAlloc
kernel32.dll.InitializeCriticalSection
kernel32.dll.GlobalHandle
kernel32.dll.GlobalReAlloc
kernel32.dll.EnterCriticalSection
kernel32.dll.TlsGetValue
kernel32.dll.LeaveCriticalSection
kernel32.dll.LocalAlloc
kernel32.dll.GetCurrentProcessId
kernel32.dll.lstrcmpA
kernel32.dll.GetFileTime
kernel32.dll.GetFileSizeEx
kernel32.dll.GetFileAttributesW
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetEndOfFile
kernel32.dll.UnlockFile
kernel32.dll.LockFile
kernel32.dll.FlushFileBuffers
kernel32.dll.SetFilePointer
kernel32.dll.LoadLibraryW
kernel32.dll.FindFirstFileW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FindNextFileW
kernel32.dll.FindClose
kernel32.dll.GlobalFree
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.FormatMessageW
kernel32.dll.LocalFree
kernel32.dll.SetLastError
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetLastError
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
kernel32.dll.GetProcessHeap
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetComputerNameA
kernel32.dll.GetPrivateProfileStringW
kernel32.dll.GetVolumeInformationW
kernel32.dll.DeleteFileW
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.LockResource
kernel32.dll.MoveFileW
kernel32.dll.GetTempPathW
kernel32.dll.lstrlenW
kernel32.dll.SizeofResource
kernel32.dll.CreateDirectoryW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.SetErrorMode
kernel32.dll.GetDriveTypeW
kernel32.dll.Sleep
kernel32.dll.lstrcpyA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.ResetEvent
kernel32.dll.DuplicateHandle
kernel32.dll.CreatePipe
kernel32.dll.CreateEventW
kernel32.dll.SetStdHandle
kernel32.dll.GetStdHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.CreateProcessW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.lstrcpyW
kernel32.dll.ResumeThread
kernel32.dll.WriteProcessMemory
kernel32.dll.CloseHandle
kernel32.dll.WinExec
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.WTSGetActiveConsoleSessionId
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualAlloc
kernel32.dll.WritePrivateProfileStringW
kernel32.dll.CreateFileW
kernel32.dll.ReadFile
kernel32.dll.TerminateProcess
kernel32.dll.GetSystemDirectoryW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.OpenProcess
kernel32.dll.WriteFile
kernel32.dll.GetCurrentThread
kernel32.dll.SetEvent
kernel32.dll.WaitForSingleObject
kernel32.dll.SetThreadContext
kernel32.dll.GetFileSize
kernel32.dll.CreateFileA
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetThreadContext
user32.dll.SetMenu
user32.dll.SetForegroundWindow
user32.dll.GetClientRect
user32.dll.PostMessageW
user32.dll.CreateWindowExW
user32.dll.GetClassInfoExW
user32.dll.GetClassInfoW
user32.dll.RegisterClassW
user32.dll.AdjustWindowRectEx
user32.dll.CopyRect
user32.dll.DefWindowProcW
user32.dll.CallWindowProcW
user32.dll.GetMenu
user32.dll.ExitWindowsEx
user32.dll.mouse_event
user32.dll.ReleaseDC
user32.dll.SetCursorPos
user32.dll.SystemParametersInfoA
user32.dll.IsIconic
user32.dll.GetWindowPlacement
user32.dll.GrayStringW
user32.dll.DrawTextExW
user32.dll.DrawTextW
user32.dll.TabbedTextOutW
user32.dll.SetWindowsHookExW
user32.dll.CallNextHookEx
user32.dll.DispatchMessageW
user32.dll.GetKeyState
user32.dll.PeekMessageW
user32.dll.ValidateRect
user32.dll.LoadIconW
user32.dll.MapWindowPoints
user32.dll.GetMessagePos
user32.dll.GetMessageTime
user32.dll.DestroyWindow
user32.dll.GetTopWindow
user32.dll.GetDC
user32.dll.keybd_event
user32.dll.GetSubMenu
user32.dll.WinHelpW
user32.dll.GetMenuItemID
user32.dll.GetMenuState
user32.dll.GetSystemMetrics
user32.dll.CharUpperW
user32.dll.GetWindowTextW
user32.dll.MessageBoxW
user32.dll.EnableWindow
user32.dll.IsWindowEnabled
user32.dll.GetLastActivePopup
user32.dll.GetWindowLongW
user32.dll.GetParent
user32.dll.RegisterWindowMessageW
user32.dll.CheckMenuItem
user32.dll.EnableMenuItem
user32.dll.ModifyMenuW
user32.dll.LoadBitmapW
user32.dll.GetMenuCheckMarkDimensions
user32.dll.SetMenuItemBitmaps
user32.dll.PostQuitMessage
user32.dll.DestroyMenu
user32.dll.GetForegroundWindow
user32.dll.RemovePropW
user32.dll.GetPropW
user32.dll.SetPropW
user32.dll.GetClassLongW
user32.dll.GetCapture
user32.dll.SendMessageW
user32.dll.GetWindowThreadProcessId
user32.dll.UnhookWindowsHookEx
user32.dll.GetSysColorBrush
user32.dll.GetSysColor
user32.dll.LoadCursorW
user32.dll.SetWindowTextW
user32.dll.PtInRect
user32.dll.GetClassNameW
user32.dll.GetWindowRect
user32.dll.GetDlgCtrlID
user32.dll.GetWindow
user32.dll.ClientToScreen
user32.dll.GetFocus
user32.dll.GetDlgItem
user32.dll.GetMenuItemCount
user32.dll.IsWindow
user32.dll.SetWindowLongW
user32.dll.SetWindowPos
gdi32.dll.PtVisible
cryptbase.dll.SystemFunction036
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
winsta.dll.WinStationFreeMemory
winsta.dll.WinStationCloseServer
winsta.dll.WinStationOpenServerW
winsta.dll.WinStationFreeGAPMemory
winsta.dll.WinStationGetAllProcesses
winsta.dll.WinStationEnumerateProcesses
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
kernel32.dll.RegOpenKeyExW
ntdll.dll.EtwUnregisterTraceGuids
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
oleaut32.dll.#4
oleaut32.dll.#7
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
cryptsp.dll.CryptGenRandom
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
advapi32.dll.RegOpenKeyW
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
ole32.dll.CoRevertToSelf
sspicli.dll.LogonUserExExW
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoSwitchCallContext
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
wininet.dll.DllGetClassObject
wininet.dll.DllCanUnloadNow
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
api-ms-win-downlevel-ole32-l1-1-0.dll.CoImpersonateClient
api-ms-win-downlevel-ole32-l1-1-0.dll.CoRevertToSelf
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetTokenInformation
api-ms-win-downlevel-advapi32-l1-1-0.dll.CopySid
api-ms-win-downlevel-advapi32-l1-1-0.dll.EqualSid
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthorityCount
api-ms-win-downlevel-advapi32-l1-1-0.dll.GetSidSubAuthority
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventRegister
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventUnregister
secur32.dll.GetUserNameExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExA
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCloseKey
shell32.dll.SHGetKnownFolderPath
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertSidToStringSidW
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegGetValueA
iertutil.dll.#701
iertutil.dll.#703
iertutil.dll.#702
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegOpenKeyExA
api-ms-win-downlevel-ole32-l1-1-0.dll.CoTaskMemAlloc
ws2_32.dll.#115
ws2_32.dll.#111
iertutil.dll.#791
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegQueryValueExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegCreateKeyExW
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegSetValueExW
TASKKILL /F /IM rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
{728264DE-3701-419B-84A4-2AD86B0C43A3}
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.