Detection(s): AgentTesla
Status: Malicious
Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) | MalScore |
|---|---|---|---|---|---|---|---|
| FILE | exe | 2025-12-09 15:36:52 | 2025-12-09 15:40:58 | 246 seconds | Show Options | Show Analysis Log | 10.0 |
vnc_port=5900
2025-12-06 18:57:52,416 [root] INFO: Date set to: 20251209T07:36:52, timeout set to: 180
2025-12-09 07:36:52,064 [root] DEBUG: Starting analyzer from: C:\tmpuce0d7me
2025-12-09 07:36:52,064 [root] DEBUG: Storing results at: C:\EXMiUAlFU
2025-12-09 07:36:52,064 [root] DEBUG: Pipe server name: \\.\PIPE\XguFKzxgD
2025-12-09 07:36:52,064 [root] DEBUG: Python path: C:\Python38
2025-12-09 07:36:52,064 [root] INFO: analysis running as an admin
2025-12-09 07:36:52,064 [root] INFO: analysis package specified: "exe"
2025-12-09 07:36:52,064 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-12-09 07:36:52,064 [root] DEBUG: imported analysis package "exe"
2025-12-09 07:36:52,064 [root] DEBUG: initializing analysis package "exe"...
2025-12-09 07:36:52,064 [lib.common.common] INFO: wrapping
2025-12-09 07:36:52,064 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:36:52,064 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe
2025-12-09 07:36:52,064 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-12-09 07:36:52,064 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-12-09 07:36:52,064 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-12-09 07:36:52,064 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-12-09 07:36:52,127 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-09 07:36:52,127 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-09 07:36:52,142 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-09 07:36:52,142 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-09 07:36:52,142 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-09 07:36:52,142 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-09 07:36:52,158 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-09 07:36:52,158 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-09 07:36:52,158 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-09 07:36:52,158 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-12-09 07:36:52,158 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-09 07:36:52,158 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-09 07:36:52,158 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-09 07:36:52,158 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-09 07:36:52,158 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-09 07:36:52,158 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-09 07:36:52,158 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-09 07:36:52,158 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-09 07:36:52,158 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-09 07:36:52,158 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-09 07:36:52,158 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-09 07:36:52,158 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-09 07:36:52,158 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-09 07:36:52,158 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-09 07:36:52,158 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-09 07:36:52,158 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-09 07:36:52,158 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-09 07:36:52,158 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-09 07:36:52,174 [modules.auxiliary.disguise] INFO: Disguising GUID to 4caeea21-227a-4ad0-bada-5b09cc2e9d32
2025-12-09 07:36:52,174 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-09 07:36:52,174 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-09 07:36:52,174 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-09 07:36:52,174 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-09 07:36:52,174 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-09 07:36:52,174 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-09 07:36:52,174 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-09 07:36:52,174 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-09 07:36:52,174 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-09 07:36:52,174 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-09 07:36:52,174 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-09 07:36:52,174 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-09 07:36:52,174 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-09 07:36:52,189 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-09 07:36:52,189 [root] DEBUG: attempting to configure 'Human' from data
2025-12-09 07:36:52,189 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-09 07:36:52,189 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-09 07:36:52,189 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-09 07:36:52,189 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-09 07:36:52,189 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-09 07:36:52,189 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-09 07:36:52,189 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-09 07:36:52,189 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-09 07:36:52,189 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-09 07:36:52,189 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-09 07:36:52,189 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-09 07:36:52,189 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-09 07:36:52,205 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-12-09 07:36:52,205 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-09 07:36:52,205 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-09 07:36:52,205 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-09 07:36:52,205 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-09 07:36:52,205 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-09 07:36:52,423 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-09 07:36:52,517 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-09 07:36:52,548 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-09 07:36:52,548 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-09 07:36:52,548 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-09 07:36:52,548 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-09 07:36:52,548 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-09 07:36:52,548 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 720
2025-12-09 07:36:52,548 [lib.api.process] INFO: Monitor config for <Process 720 lsass.exe>: C:\tmpuce0d7me\dll\720.ini
2025-12-09 07:36:52,611 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-09 07:36:52,736 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-09 07:36:52,752 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-09 07:36:52,830 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-09 07:36:52,877 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-09 07:36:52,955 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-09 07:36:53,127 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-09 07:36:53,127 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-09 07:36:53,205 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-09 07:36:53,267 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-09 07:36:53,346 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-09 07:36:53,423 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-09 07:36:53,471 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-09 07:36:53,471 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-09 07:36:53,517 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-09 07:36:53,517 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-09 07:36:53,548 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-09 07:36:53,564 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-09 07:36:53,564 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:36:53,564 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-09 07:36:53,596 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-09 07:36:53,627 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-09 07:36:53,642 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-09 07:36:53,673 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-09 07:36:53,705 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-09 07:36:53,721 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-09 07:36:53,752 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-09 07:36:53,783 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-09 07:36:53,814 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-09 07:36:53,846 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-09 07:36:53,877 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-09 07:36:53,908 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:36:53,939 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:36:53,955 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-09 07:36:53,986 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-09 07:36:54,017 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-09 07:36:54,048 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-09 07:36:54,080 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-09 07:36:54,096 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-09 07:36:54,127 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-09 07:36:54,158 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-09 07:36:54,189 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-09 07:36:54,221 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-09 07:36:54,267 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-09 07:36:54,298 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-09 07:36:54,314 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-09 07:36:54,361 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-09 07:36:54,392 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-09 07:36:54,439 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-09 07:36:54,471 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-09 07:36:54,502 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-09 07:36:54,517 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-09 07:36:54,548 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-09 07:36:54,580 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-09 07:36:54,611 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-09 07:36:54,627 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-09 07:36:54,658 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-09 07:36:54,689 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-09 07:36:54,721 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-09 07:36:54,736 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-09 07:36:54,767 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-09 07:36:54,798 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-09 07:36:54,830 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-09 07:36:54,846 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-09 07:37:17,573 [root] DEBUG: Loader: Injecting process 720 with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:37:41,597 [root] DEBUG: 720: Python path set to 'C:\Python38'.
2025-12-09 07:37:41,597 [root] INFO: Disabling sleep skipping.
2025-12-09 07:37:41,613 [root] DEBUG: 720: TLS secret dump mode enabled.
2025-12-09 07:37:41,613 [root] DEBUG: 720: GetAddressByYara: ModuleBase 0x00007FF8E5730000 FunctionName RtlInsertInvertedFunctionTable
2025-12-09 07:37:41,613 [root] DEBUG: 720: RtlInsertInvertedFunctionTable 0x00007FF8E575BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FF8E58B70F0
2025-12-09 07:37:41,613 [root] DEBUG: 720: Monitor initialised: 64-bit capemon loaded in process 720 at 0x00007FF8B7F50000, thread 4304, image base 0x00007FF6E3C60000, stack from 0x000000DE97A74000-0x000000DE97A80000
2025-12-09 07:37:41,613 [root] DEBUG: 720: Commandline: C:\Windows\system32\lsass.exe
2025-12-09 07:37:41,613 [root] DEBUG: 720: Hooked 5 out of 5 functions
2025-12-09 07:37:41,613 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:37:41,613 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:37:41,613 [lib.api.process] INFO: Injected into 64-bit <Process 720 lsass.exe>
2025-12-09 07:37:41,613 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-09 07:37:41,613 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-09 07:37:41,613 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-09 07:37:41,613 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-09 07:37:41,613 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-09 07:37:41,628 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-09 07:37:41,628 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-09 07:37:41,628 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-09 07:37:41,628 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-09 07:37:41,628 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-09 07:37:41,628 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-09 07:37:44,285 [root] INFO: Restarting WMI Service
2025-12-09 07:37:46,347 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-12-09 07:37:46,347 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-12-09 07:37:46,347 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:38:10,371 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe" with arguments "" with pid 6568
2025-12-09 07:38:10,371 [lib.api.process] INFO: Monitor config for <Process 6568 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6568.ini
2025-12-09 07:38:10,371 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:38:34,406 [root] DEBUG: Loader: Injecting process 6568 (thread 4392) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:38:34,406 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:38:34,406 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:38:34,406 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:38:34,406 [lib.api.process] INFO: Injected into 32-bit <Process 6568 BL 216238068 DOCS.exe>
2025-12-09 07:38:36,422 [lib.api.process] INFO: Successfully resumed <Process 6568 BL 216238068 DOCS.exe>
2025-12-09 07:39:00,465 [root] DEBUG: 6568: Python path set to 'C:\Python38'.
2025-12-09 07:39:00,465 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:00,465 [root] DEBUG: 6568: Dropped file limit defaulting to 100.
2025-12-09 07:39:00,465 [root] DEBUG: 6568: YaraInit: Compiled 41 rule files
2025-12-09 07:39:00,465 [root] DEBUG: 6568: YaraInit: Compiled rules saved to file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:39:00,465 [root] DEBUG: 6568: YaraScan: Scanning 0x001B0000, size 0x240
2025-12-09 07:39:00,465 [root] DEBUG: 6568: AmsiDumper initialised.
2025-12-09 07:39:00,465 [root] DEBUG: 6568: Monitor initialised: 32-bit capemon loaded in process 6568 at 0x74fc0000, thread 4392, image base 0x1b0000, stack from 0x6f5000-0x700000
2025-12-09 07:39:00,465 [root] DEBUG: 6568: Commandline: "C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe"
2025-12-09 07:39:00,465 [root] DEBUG: 6568: GetAddressByYara: ModuleBase 0x77AF0000 FunctionName LdrpCallInitRoutine
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: LdrpCallInitRoutine export address 0x77B666A0 obtained via GetFunctionAddress
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - CreateRemoteThreadEx export address 0x75FC9A4C differs from GetProcAddress -> 0x76FFDDB0 (KERNELBASE.dll::0x11ddb0)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - CoCreateInstance export address 0x77890FEB differs from GetProcAddress -> 0x7724FF70 (combase.dll::0xdff70)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - CoCreateInstanceEx export address 0x7789102A differs from GetProcAddress -> 0x7729CCF0 (combase.dll::0x12ccf0)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - CoGetClassObject export address 0x778915BA differs from GetProcAddress -> 0x77212BD0 (combase.dll::0xa2bd0)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - UpdateProcThreadAttribute export address 0x75FD18BA differs from GetProcAddress -> 0x7702BD10 (KERNELBASE.dll::0x14bd10)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - SetWindowLongW export address 0x7594ED80 differs from GetProcAddress -> 0x714200F0 (apphelp.dll::0x600f0)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - EnumDisplayDevicesA export address 0x759B7B40 differs from GetProcAddress -> 0x7141F680 (apphelp.dll::0x5f680)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - EnumDisplayDevicesW export address 0x75960400 differs from GetProcAddress -> 0x7141F6B0 (apphelp.dll::0x5f6b0)
2025-12-09 07:39:00,481 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:39:00,481 [root] DEBUG: 6568: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:39:00,481 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:39:00,481 [root] DEBUG: 6568: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - CLSIDFromProgID export address 0x77890824 differs from GetProcAddress -> 0x771E54C0 (combase.dll::0x754c0)
2025-12-09 07:39:00,481 [root] DEBUG: 6568: hook_api: Warning - CLSIDFromProgIDEx export address 0x77890861 differs from GetProcAddress -> 0x771DFF40 (combase.dll::0x6ff40)
2025-12-09 07:39:00,496 [root] DEBUG: 6568: Hooked 611 out of 613 functions
2025-12-09 07:39:00,496 [root] DEBUG: 6568: Syscall hook installed, syscall logging level 1
2025-12-09 07:39:00,496 [root] DEBUG: 6568: WoW64fix: Windows version 6.2 not supported.
2025-12-09 07:39:00,496 [root] INFO: Loaded monitor into process with pid 6568
2025-12-09 07:39:00,496 [root] DEBUG: 6568: DLL loaded at 0x74F00000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x88000 bytes).
2025-12-09 07:39:00,496 [root] DEBUG: 6568: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:39:00,496 [root] DEBUG: 6568: DLL loaded at 0x755C0000: C:\Windows\SYSTEM32\kernel.appcore (0x13000 bytes).
2025-12-09 07:39:00,512 [root] DEBUG: 6568: DLL loaded at 0x753A0000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2025-12-09 07:39:00,543 [root] DEBUG: 6568: DLL loaded at 0x74E40000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xb3000 bytes).
2025-12-09 07:39:00,543 [root] DEBUG: 6568: DLL loaded at 0x753B0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x15000 bytes).
2025-12-09 07:39:00,543 [root] DEBUG: 6568: DLL loaded at 0x728E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x7bc000 bytes).
2025-12-09 07:39:00,543 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x03D23000, size: 0x1000.
2025-12-09 07:39:00,543 [root] DEBUG: 6568: GetEntropy: Error - Supplied address inaccessible: 0x03D20000
2025-12-09 07:39:00,543 [root] DEBUG: 6568: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:00,559 [root] DEBUG: 6568: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2025-12-09 07:39:00,559 [root] DEBUG: 6568: InstrumentationCallback: Added region at 0x76EE0000 to tracked regions list (thread 4392).
2025-12-09 07:39:00,637 [root] DEBUG: 6568: DLL loaded at 0x71490000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni (0x144c000 bytes).
2025-12-09 07:39:00,637 [root] DEBUG: 6568: DLL loaded at 0x77560000: C:\Windows\System32\bcryptPrimitives (0x62000 bytes).
2025-12-09 07:39:00,653 [root] DEBUG: 6568: DLL loaded at 0x753D0000: C:\Windows\system32\uxtheme (0x7f000 bytes).
2025-12-09 07:39:00,653 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x04E10000, size: 0x1000.
2025-12-09 07:39:00,653 [root] DEBUG: 6568: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:00,653 [root] DEBUG: 6568: AllocationHandler: Processing previous tracked region at: 0x03D20000.
2025-12-09 07:39:00,653 [root] DEBUG: 6568: DumpPEsInRange: Scanning range 0x03D20000 - 0x03D20015.
2025-12-09 07:39:00,653 [root] DEBUG: 6568: ScanForDisguisedPE: Size too small: 0x15 bytes
2025-12-09 07:39:00,653 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_128876080391592122025 to CAPE\3ee52bf4b3bd0857e04665d780e33dea6ee3e64c887b914ace3f17f41f796d57; Size is 21; Max size: 100000000
2025-12-09 07:39:00,653 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_128876080391592122025 (size 21 bytes)
2025-12-09 07:39:00,653 [root] DEBUG: 6568: DumpRegion: Dumped entire allocation from 0x03D20000, size 4096 bytes.
2025-12-09 07:39:00,653 [root] DEBUG: 6568: ProcessTrackedRegion: Dumped region at 0x03D20000.
2025-12-09 07:39:00,653 [root] DEBUG: 6568: YaraScan: Scanning 0x03D20000, size 0x15
2025-12-09 07:39:00,668 [root] DEBUG: 6568: DLL loaded at 0x75E70000: C:\Windows\System32\OLEAUT32 (0x9c000 bytes).
2025-12-09 07:39:00,668 [root] DEBUG: 6568: hook_api: clrjit::compileMethod export address 0x7463A700 obtained via GetFunctionAddress
2025-12-09 07:39:00,668 [root] DEBUG: 6568: DLL loaded at 0x74620000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7e000 bytes).
2025-12-09 07:39:00,668 [root] DEBUG: 6568: .NET JIT native cache at 0x04E10000: scans and dumps active.
2025-12-09 07:39:00,668 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x04E10000 skipped
2025-12-09 07:39:00,700 [root] DEBUG: 6568: DLL loaded at 0x709A0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\5380d2b417dae69a597fcfb16c76a7b7\System.ni (0xa1c000 bytes).
2025-12-09 07:39:00,700 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x03D55000, size: 0x1000.
2025-12-09 07:39:00,700 [root] DEBUG: 6568: GetEntropy: Error - Supplied address inaccessible: 0x03D50000
2025-12-09 07:39:00,715 [root] DEBUG: 6568: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: AllocationHandler: Processing previous tracked region at: 0x04E10000.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x04E10000 skipped
2025-12-09 07:39:00,715 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x03D50000.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x03D50000.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: ProtectionHandler: Adding region at 0x001B2000 to tracked regions.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: ProtectionHandler: Processing previous tracked region at: 0x03D50000.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: DumpPEsInRange: Scanning range 0x03D50000 - 0x03D5008C.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: ScanForDisguisedPE: Size too small: 0x8c bytes
2025-12-09 07:39:00,715 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_137072650391592122025 to CAPE\3fd25c81c21d07d97f83c000170097e43af21a8a3f683178fdfecd54a2224d3b; Size is 140; Max size: 100000000
2025-12-09 07:39:00,715 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_137072650391592122025 (size 140 bytes)
2025-12-09 07:39:00,715 [root] DEBUG: 6568: DumpRegion: Dumped entire allocation from 0x03D50000, size 4096 bytes.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: ProcessTrackedRegion: Dumped region at 0x03D50000.
2025-12-09 07:39:00,715 [root] DEBUG: 6568: YaraScan: Scanning 0x03D50000, size 0x8c
2025-12-09 07:39:00,715 [root] DEBUG: 6568: YaraScan: Scanning 0x001B0000, size 0x240
2025-12-09 07:39:00,715 [root] DEBUG: 6568: ProcessImageBase: Main module image at 0x001B0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:39:00,715 [root] DEBUG: 6568: api-rate-cap: NtOpenProcess hook disabled due to rate
2025-12-09 07:39:00,825 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x03D20000.
2025-12-09 07:39:00,871 [root] DEBUG: 6568: DLL loaded at 0x70180000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\53a9cd078a677c9b2820831d13828801\System.Core.ni (0x818000 bytes).
2025-12-09 07:39:00,887 [root] DEBUG: 6568: DLL loaded at 0x74510000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\7ca34fb9f713c597d60f034e09f5da28\System.Configuration.ni (0x105000 bytes).
2025-12-09 07:39:00,887 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x03D4A000, size: 0x1000.
2025-12-09 07:39:00,887 [root] DEBUG: 6568: GetEntropy: Error - Supplied address inaccessible: 0x03D40000
2025-12-09 07:39:00,887 [root] DEBUG: 6568: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:00,887 [root] DEBUG: 6568: AllocationHandler: Processing previous tracked region at: 0x001B0000.
2025-12-09 07:39:00,887 [root] DEBUG: 6568: YaraScan: Scanning 0x001B0000, size 0x240
2025-12-09 07:39:00,887 [root] DEBUG: 6568: ProcessImageBase: Main module image at 0x001B0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:39:00,887 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x03D40000.
2025-12-09 07:39:00,887 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x03D40000.
2025-12-09 07:39:00,918 [root] DEBUG: 6568: DLL loaded at 0x6FA10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\dbbfe4100fa444758f5b90b58d6b6cd2\System.Xml.ni (0x76c000 bytes).
2025-12-09 07:39:00,934 [root] DEBUG: 6568: DLL loaded at 0x765D0000: C:\Windows\System32\shell32 (0x697000 bytes).
2025-12-09 07:39:00,965 [root] DEBUG: 6568: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:39:00,965 [root] DEBUG: 6568: DLL loaded at 0x752D0000: C:\Windows\SYSTEM32\wintypes (0xc7000 bytes).
2025-12-09 07:39:00,965 [root] DEBUG: 6568: DLL loaded at 0x746A0000: C:\Windows\SYSTEM32\windows.storage (0x6ec000 bytes).
2025-12-09 07:39:00,981 [root] DEBUG: 6568: DLL loaded at 0x77700000: C:\Windows\System32\SHCORE (0xc1000 bytes).
2025-12-09 07:39:00,981 [root] DEBUG: 6568: DLL loaded at 0x744F0000: C:\Windows\SYSTEM32\profapi (0x1d000 bytes).
2025-12-09 07:39:00,981 [root] DEBUG: 6568: DLL loaded at 0x74DF0000: C:\Windows\SYSTEM32\CRYPTSP (0x15000 bytes).
2025-12-09 07:39:00,996 [root] DEBUG: 6568: DLL loaded at 0x74DC0000: C:\Windows\system32\rsaenh (0x30000 bytes).
2025-12-09 07:39:00,996 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x04E10000.
2025-12-09 07:39:01,012 [root] DEBUG: 6568: DLL loaded at 0x74450000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22621.2506_none_fbe8e1f07808be9b\comctl32 (0x91000 bytes).
2025-12-09 07:39:01,012 [root] DEBUG: 6568: .NET JIT native cache at 0x07410000: scans and dumps active.
2025-12-09 07:39:01,012 [root] DEBUG: 6568: caller_dispatch: Added region at 0x07410000 to tracked regions list (kernel32::SetErrorMode returns to 0x074110FA, thread 4392).
2025-12-09 07:39:01,012 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x07410000 skipped
2025-12-09 07:39:01,012 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x03D3D000, size: 0x1000.
2025-12-09 07:39:01,012 [root] DEBUG: 6568: AllocationHandler: Processing previous tracked region at: 0x03D40000.
2025-12-09 07:39:01,012 [root] DEBUG: 6568: DumpPEsInRange: Scanning range 0x03D40000 - 0x03D4008C.
2025-12-09 07:39:01,012 [root] DEBUG: 6568: ScanForDisguisedPE: Size too small: 0x8c bytes
2025-12-09 07:39:01,012 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_708721391592122025 to CAPE\f3789173eebb2cdeb5cc1247ebf1650ef64010cb410b78783f13b73858f13e14; Size is 140; Max size: 100000000
2025-12-09 07:39:01,027 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_708721391592122025 (size 140 bytes)
2025-12-09 07:39:01,027 [root] DEBUG: 6568: DumpRegion: Dumped entire allocation from 0x03D40000, size 4096 bytes.
2025-12-09 07:39:01,027 [root] DEBUG: 6568: ProcessTrackedRegion: Dumped region at 0x03D40000.
2025-12-09 07:39:01,027 [root] DEBUG: 6568: YaraScan: Scanning 0x03D40000, size 0x8c
2025-12-09 07:39:01,043 [root] DEBUG: 6568: InstrumentationCallback: Added region at 0x75F30000 to tracked regions list (thread 4392).
2025-12-09 07:39:01,043 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x7EF70000, size: 0x50000.
2025-12-09 07:39:01,043 [root] DEBUG: 6568: GetEntropy: Error - Supplied address inaccessible: 0x7EF70000
2025-12-09 07:39:01,043 [root] DEBUG: 6568: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:01,043 [root] DEBUG: 6568: AllocationHandler: Processing previous tracked region at: 0x03D30000.
2025-12-09 07:39:01,043 [root] DEBUG: 6568: DumpPEsInRange: Scanning range 0x03D30000 - 0x03D3D0F6.
2025-12-09 07:39:01,043 [root] DEBUG: 6568: ScanForDisguisedPE: No PE image located in range 0x03D30000-0x03D3D0F6.
2025-12-09 07:39:01,043 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_11027351391592122025 to CAPE\de556c3a42f872a83e49c892ac174d285be4923a8321cb189c47b6d774ec6bea; Size is 53494; Max size: 100000000
2025-12-09 07:39:01,059 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_11027351391592122025 (size 53494 bytes)
2025-12-09 07:39:01,059 [root] DEBUG: 6568: DumpRegion: Dumped entire allocation from 0x03D30000, size 57344 bytes.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: ProcessTrackedRegion: Dumped region at 0x03D30000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: YaraScan: Scanning 0x03D30000, size 0xd0f6
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7EF70000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Previously reserved region at 0x7EF70000, committing at: 0x7EF70000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x7EF70000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x7EF70000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Adding allocation to tracked region list: 0x7EF60000, size: 0x10000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: GetEntropy: Error - Supplied address inaccessible: 0x7EF60000
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Processing previous tracked region at: 0x7EF70000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: DumpPEsInRange: Scanning range 0x7EF70000 - 0x7EF7003C.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: ScanForDisguisedPE: Size too small: 0x3c bytes
2025-12-09 07:39:01,059 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_11417091391592122025 to CAPE\3deb629b7d2fb549a3affe1f753c3c96fbfccc71cb335834412b40c0ca87833c; Size is 60; Max size: 100000000
2025-12-09 07:39:01,059 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_11417091391592122025 (size 60 bytes)
2025-12-09 07:39:01,059 [root] DEBUG: 6568: DumpRegion: Dumped entire allocation from 0x7EF70000, size 4096 bytes.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: ProcessTrackedRegion: Dumped region at 0x7EF70000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: YaraScan: Scanning 0x7EF70000, size 0x3c
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7EF60000.
2025-12-09 07:39:01,059 [root] DEBUG: 6568: AllocationHandler: Previously reserved region at 0x7EF60000, committing at: 0x7EF60000.
2025-12-09 07:39:01,074 [root] DEBUG: 6568: DLL loaded at 0x74060000: C:\Windows\SYSTEM32\iertutil (0x238000 bytes).
2025-12-09 07:39:01,090 [root] DEBUG: 6568: DLL loaded at 0x74040000: C:\Windows\SYSTEM32\srvcli (0x1d000 bytes).
2025-12-09 07:39:01,090 [root] DEBUG: 6568: DLL loaded at 0x74E30000: C:\Windows\SYSTEM32\netutils (0xb000 bytes).
2025-12-09 07:39:01,090 [root] DEBUG: 6568: DLL loaded at 0x742A0000: C:\Windows\SYSTEM32\urlmon (0x1a2000 bytes).
2025-12-09 07:39:01,106 [root] DEBUG: 6568: DLL loaded at 0x73F70000: C:\Windows\SYSTEM32\PROPSYS (0xc7000 bytes).
2025-12-09 07:39:01,121 [root] DEBUG: 6568: DLL loaded at 0x73B20000: C:\Windows\SYSTEM32\virtdisk (0x12000 bytes).
2025-12-09 07:39:01,137 [root] DEBUG: 6568: .NET JIT native cache at 0x079A0000: scans and dumps active.
2025-12-09 07:39:01,137 [root] DEBUG: 6568: caller_dispatch: Added region at 0x079A0000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x079A16D3, thread 4392).
2025-12-09 07:39:01,137 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x079A0000 skipped
2025-12-09 07:39:01,152 [root] DEBUG: 6568: DLL loaded at 0x739B0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22621.2506_none_9fa484a5e29783d4\gdiplus (0x16d000 bytes).
2025-12-09 07:39:01,168 [root] DEBUG: 6568: DLL loaded at 0x73780000: C:\Windows\SYSTEM32\DWrite (0x224000 bytes).
2025-12-09 07:39:01,184 [root] DEBUG: 6568: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:39:01,184 [root] DEBUG: 6568: DLL loaded at 0x77920000: C:\Windows\System32\MSCTF (0xfc000 bytes).
2025-12-09 07:39:01,653 [root] DEBUG: 6568: .NET JIT native cache at 0x078E0000: scans and dumps active.
2025-12-09 07:39:01,653 [root] DEBUG: 6568: caller_dispatch: Added region at 0x078E0000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x078E0737, thread 4392).
2025-12-09 07:39:01,653 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x078E0000 skipped
2025-12-09 07:39:01,668 [root] DEBUG: 6568: DLL loaded at 0x736E0000: C:\Windows\SYSTEM32\TextShaping (0x95000 bytes).
2025-12-09 07:39:01,684 [root] DEBUG: 6568: AllocationHandler: Allocation already in tracked region list: 0x03D40000.
2025-12-09 07:39:01,684 [root] DEBUG: 6568: hook_api: Warning - ScriptIsComplex export address 0x73641794 differs from GetProcAddress -> 0x76DF0E50 (gdi32full.dll::0x90e50)
2025-12-09 07:39:01,684 [root] DEBUG: 6568: DLL loaded at 0x73640000: C:\Windows\SYSTEM32\USP10 (0x17000 bytes).
2025-12-09 07:39:01,684 [root] DEBUG: 6568: DLL loaded at 0x73610000: C:\Windows\SYSTEM32\msls31 (0x2c000 bytes).
2025-12-09 07:39:01,684 [root] DEBUG: 6568: DLL loaded at 0x73660000: C:\Windows\SYSTEM32\RichEd20 (0x7d000 bytes).
2025-12-09 07:39:01,731 [root] DEBUG: 6568: .NET JIT native cache at 0x07910000: scans and dumps active.
2025-12-09 07:39:01,731 [root] DEBUG: 6568: caller_dispatch: Added region at 0x07910000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0791137E, thread 4392).
2025-12-09 07:39:01,731 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x07910000 skipped
2025-12-09 07:39:01,762 [root] DEBUG: 6568: DLL loaded at 0x734B0000: C:\Windows\SYSTEM32\WindowsCodecs (0x160000 bytes).
2025-12-09 07:39:01,778 [root] DEBUG: 6568: .NET JIT native cache at 0x07940000: scans and dumps active.
2025-12-09 07:39:01,778 [root] DEBUG: 6568: caller_dispatch: Added region at 0x07940000 to tracked regions list (kernel32::SetErrorMode returns to 0x0794146D, thread 4392).
2025-12-09 07:39:01,793 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x07940000 skipped
2025-12-09 07:39:01,824 [root] DEBUG: 6568: .NET JIT native cache at 0x07950000: scans and dumps active.
2025-12-09 07:39:01,840 [root] DEBUG: 6568: caller_dispatch: Added region at 0x07950000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x079509F0, thread 4392).
2025-12-09 07:39:01,840 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x07950000 skipped
2025-12-09 07:39:01,840 [root] DEBUG: 6568: DLL loaded at 0x6F7E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22621.2506_none_6eb991c088050a06\comctl32 (0x228000 bytes).
2025-12-09 07:39:01,918 [root] DEBUG: 6568: api-rate-cap: NtClose hook disabled due to rate
2025-12-09 07:39:01,918 [root] DEBUG: 6568: api-rate-cap: NtClose hook disabled due to rate
2025-12-09 07:39:01,918 [root] DEBUG: 6568: caller_dispatch: Added region at 0x09D50000 to tracked regions list (advapi32::CryptAcquireContextA returns to 0x09D51339, thread 4392).
2025-12-09 07:39:01,918 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x09D50000 skipped
2025-12-09 07:39:01,949 [root] DEBUG: 6568: DLL loaded at 0x73460000: C:\Windows\SYSTEM32\wldp (0x44000 bytes).
2025-12-09 07:39:01,949 [root] DEBUG: 6568: DLL loaded at 0x73440000: C:\Windows\SYSTEM32\amsi (0x15000 bytes).
2025-12-09 07:39:01,949 [root] DEBUG: 6568: DLL loaded at 0x6F7B0000: C:\Windows\SYSTEM32\USERENV (0x24000 bytes).
2025-12-09 07:39:01,965 [root] DEBUG: 6568: DLL loaded at 0x6F740000: C:\Program Files (x86)\Windows Defender\MpOav (0x6b000 bytes).
2025-12-09 07:39:01,965 [root] DEBUG: 6568: AmsiDumper: Dumping AMSI buffer at 0x053C481C, size 0x4200
2025-12-09 07:39:01,965 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_248998951390103122025 to CAPE\79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696; Size is 16896; Max size: 100000000
2025-12-09 07:39:01,965 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_248998951390103122025 (size 16896 bytes)
2025-12-09 07:39:01,981 [root] DEBUG: 6568: DLL loaded at 0x76460000: C:\Windows\System32\WINTRUST (0x58000 bytes).
2025-12-09 07:39:01,981 [root] DEBUG: 6568: DLL loaded at 0x6F650000: C:\Program Files (x86)\Windows Defender\MPCLIENT (0xe1000 bytes).
2025-12-09 07:39:01,981 [root] DEBUG: 6568: DLL loaded at 0x73430000: C:\Windows\System32\MSASN1 (0xe000 bytes).
2025-12-09 07:39:01,996 [root] DEBUG: 6568: DLL loaded at 0x6F620000: C:\Windows\SYSTEM32\gpapi (0x21000 bytes).
2025-12-09 07:39:27,591 [root] DEBUG: 6568: AmsiDumper: Dumping AMSI buffer at 0x05F10DF0, size 0x7cc00
2025-12-09 07:39:27,591 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_491889327390103122025 to CAPE\dafee86178755f8e1d8d360e07c9e0d756d614ccb7b9dd3c559979a27cf47e75; Size is 510976; Max size: 100000000
2025-12-09 07:39:27,591 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_491889327390103122025 (size 510976 bytes)
2025-12-09 07:39:27,607 [root] DEBUG: 6568: .NET JIT native cache at 0x09E80000: scans and dumps active.
2025-12-09 07:39:27,607 [root] DEBUG: 6568: caller_dispatch: Added region at 0x09E80000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x09E808C6, thread 4392).
2025-12-09 07:39:27,607 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x09E80000 skipped
2025-12-09 07:39:27,638 [root] DEBUG: 6568: AmsiDumper: Dumping AMSI buffer at 0x05FD81D0, size 0x37e00
2025-12-09 07:39:27,638 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_1465549827390103122025 to CAPE\4fae2d624819e95667c479b054412ee5b1553f384dd23aecd907f0205efc0552; Size is 228864; Max size: 100000000
2025-12-09 07:39:27,638 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_1465549827390103122025 (size 228864 bytes)
2025-12-09 07:39:37,701 [root] DEBUG: 6568: DLL loaded at 0x76E50000: C:\Windows\System32\clbcatq (0x82000 bytes).
2025-12-09 07:39:37,701 [root] DEBUG: 6568: DLL loaded at 0x6F5E0000: C:\Windows\SYSTEM32\CFGMGR32 (0x3d000 bytes).
2025-12-09 07:39:37,716 [root] DEBUG: 6568: DLL loaded at 0x71470000: C:\Windows\SYSTEM32\edputil (0x1f000 bytes).
2025-12-09 07:39:37,716 [root] DEBUG: 6568: DLL loaded at 0x6F580000: C:\Windows\System32\Windows.StateRepositoryPS (0x5f000 bytes).
2025-12-09 07:39:37,732 [root] DEBUG: 6568: DLL loaded at 0x6F560000: C:\Windows\System32\smartscreenps (0x13000 bytes).
2025-12-09 07:39:37,732 [root] DEBUG: 6568: DLL loaded at 0x6F4F0000: C:\Windows\SYSTEM32\shdocvw (0x6f000 bytes).
2025-12-09 07:39:37,747 [root] DEBUG: 6568: DLL loaded at 0x6F470000: C:\Windows\System32\appresolver (0x80000 bytes).
2025-12-09 07:39:37,747 [root] DEBUG: 6568: DLL loaded at 0x6F420000: C:\Windows\System32\Bcp47Langs (0x49000 bytes).
2025-12-09 07:39:37,763 [root] DEBUG: 6568: DLL loaded at 0x6F1A0000: C:\Windows\System32\OneCoreUAPCommonProxyStub (0x27d000 bytes).
2025-12-09 07:39:37,763 [lib.api.process] INFO: Monitor config for <Process 848 svchost.exe>: C:\tmpuce0d7me\dll\848.ini
2025-12-09 07:39:37,763 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:39:37,763 [root] DEBUG: Loader: Injecting process 848 with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:39:37,778 [root] DEBUG: 848: Python path set to 'C:\Python38'.
2025-12-09 07:39:37,778 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:37,778 [root] DEBUG: 848: Dropped file limit defaulting to 100.
2025-12-09 07:39:37,778 [root] DEBUG: 848: Services hook set enabled
2025-12-09 07:39:37,778 [root] DEBUG: 848: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:39:37,778 [root] DEBUG: 848: GetAddressByYara: ModuleBase 0x00007FF8E5730000 FunctionName RtlInsertInvertedFunctionTable
2025-12-09 07:39:37,778 [root] DEBUG: 848: RtlInsertInvertedFunctionTable 0x00007FF8E575BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FF8E58B70F0
2025-12-09 07:39:37,778 [root] DEBUG: 848: AmsiDumper initialised.
2025-12-09 07:39:37,778 [root] DEBUG: 848: Monitor initialised: 64-bit capemon loaded in process 848 at 0x00007FF8B7F50000, thread 5312, image base 0x00007FF74CCC0000, stack from 0x00000059B1AF5000-0x00000059B1B00000
2025-12-09 07:39:37,778 [root] DEBUG: 848: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p
2025-12-09 07:39:37,794 [root] DEBUG: 848: hook_api: Warning - CoCreateInstance export address 0x00007FF8E4157EF9 differs from GetProcAddress -> 0x00007FF8E4CA2050 (combase.dll::0x42050)
2025-12-09 07:39:37,794 [root] DEBUG: 848: hook_api: Warning - CoCreateInstanceEx export address 0x00007FF8E4157F38 differs from GetProcAddress -> 0x00007FF8E4C7CC40 (combase.dll::0x1cc40)
2025-12-09 07:39:37,794 [root] DEBUG: 848: hook_api: Warning - CoGetClassObject export address 0x00007FF8E41584C8 differs from GetProcAddress -> 0x00007FF8E4D29870 (combase.dll::0xc9870)
2025-12-09 07:39:37,794 [root] DEBUG: 848: Hooked 69 out of 69 functions
2025-12-09 07:39:37,794 [root] INFO: Loaded monitor into process with pid 848
2025-12-09 07:39:37,794 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:39:37,794 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:39:37,794 [lib.api.process] INFO: Injected into 64-bit <Process 848 svchost.exe>
2025-12-09 07:39:39,811 [root] DEBUG: 6568: CreateProcessHandler: Injection info set for new process 4360: C:\Windows\System32\schtasks.exe, ImageBase: 0x00B00000
2025-12-09 07:39:39,811 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 4360
2025-12-09 07:39:39,811 [lib.api.process] INFO: Monitor config for <Process 4360 schtasks.exe>: C:\tmpuce0d7me\dll\4360.ini
2025-12-09 07:39:39,811 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:39,811 [root] DEBUG: Loader: Injecting process 4360 (thread 2788) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:39,811 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:39:39,811 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:39,811 [lib.api.process] INFO: Injected into 32-bit <Process 4360 schtasks.exe>
2025-12-09 07:39:39,857 [root] DEBUG: 4360: Python path set to 'C:\Python38'.
2025-12-09 07:39:39,857 [root] DEBUG: 4360: Dropped file limit defaulting to 100.
2025-12-09 07:39:39,857 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:39,857 [root] DEBUG: 4360: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:39:39,857 [root] DEBUG: 4360: YaraScan: Scanning 0x00B00000, size 0x35bc8
2025-12-09 07:39:39,857 [root] DEBUG: 4360: AmsiDumper initialised.
2025-12-09 07:39:39,857 [root] DEBUG: 4360: Monitor initialised: 32-bit capemon loaded in process 4360 at 0x74fc0000, thread 2788, image base 0xb00000, stack from 0x906000-0x910000
2025-12-09 07:39:39,857 [root] DEBUG: 4360: Commandline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFinHcUy" /XML "C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp"
2025-12-09 07:39:39,857 [root] DEBUG: 4360: GetAddressByYara: ModuleBase 0x77AF0000 FunctionName LdrpCallInitRoutine
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: LdrpCallInitRoutine export address 0x77B666A0 obtained via GetFunctionAddress
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - CreateRemoteThreadEx export address 0x75FC9A4C differs from GetProcAddress -> 0x76FFDDB0 (KERNELBASE.dll::0x11ddb0)
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - CoCreateInstance export address 0x77890FEB differs from GetProcAddress -> 0x7724FF70 (combase.dll::0xdff70)
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - CoCreateInstanceEx export address 0x7789102A differs from GetProcAddress -> 0x7729CCF0 (combase.dll::0x12ccf0)
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - CoGetClassObject export address 0x778915BA differs from GetProcAddress -> 0x77212BD0 (combase.dll::0xa2bd0)
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - UpdateProcThreadAttribute export address 0x75FD18BA differs from GetProcAddress -> 0x7702BD10 (KERNELBASE.dll::0x14bd10)
2025-12-09 07:39:39,873 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:39:39,873 [root] DEBUG: 4360: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:39:39,873 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:39:39,873 [root] DEBUG: 4360: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - CLSIDFromProgID export address 0x77890824 differs from GetProcAddress -> 0x771E54C0 (combase.dll::0x754c0)
2025-12-09 07:39:39,873 [root] DEBUG: 4360: hook_api: Warning - CLSIDFromProgIDEx export address 0x77890861 differs from GetProcAddress -> 0x771DFF40 (combase.dll::0x6ff40)
2025-12-09 07:39:39,873 [root] DEBUG: 4360: Hooked 611 out of 613 functions
2025-12-09 07:39:39,873 [root] DEBUG: 4360: Syscall hook installed, syscall logging level 1
2025-12-09 07:39:39,873 [root] DEBUG: 4360: WoW64fix: Windows version 10.0 not supported.
2025-12-09 07:39:39,889 [root] INFO: Loaded monitor into process with pid 4360
2025-12-09 07:39:39,889 [root] DEBUG: 4360: caller_dispatch: Added region at 0x00B00000 to tracked regions list (ntdll::memcpy returns to 0x00B2144A, thread 2788).
2025-12-09 07:39:39,889 [root] DEBUG: 4360: YaraScan: Scanning 0x00B00000, size 0x35bc8
2025-12-09 07:39:39,889 [root] DEBUG: 4360: ProcessImageBase: Main module image at 0x00B00000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:39:39,889 [root] DEBUG: 4360: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:39:39,889 [root] DEBUG: 4360: DLL loaded at 0x755C0000: C:\Windows\SYSTEM32\kernel.appcore (0x13000 bytes).
2025-12-09 07:39:39,889 [root] DEBUG: 4360: DLL loaded at 0x77560000: C:\Windows\System32\bcryptPrimitives (0x62000 bytes).
2025-12-09 07:39:39,889 [root] DEBUG: 4360: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:39:39,889 [root] INFO: Stopping Task Scheduler Service
2025-12-09 07:39:39,920 [root] INFO: Stopped Task Scheduler Service
2025-12-09 07:39:39,951 [root] INFO: Starting Task Scheduler Service
2025-12-09 07:39:39,967 [root] INFO: Started Task Scheduler Service
2025-12-09 07:39:39,967 [lib.api.process] INFO: Monitor config for <Process 1260 svchost.exe>: C:\tmpuce0d7me\dll\1260.ini
2025-12-09 07:39:39,967 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:39:39,983 [root] DEBUG: Loader: Injecting process 1260 with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:39:39,983 [root] DEBUG: 1260: Python path set to 'C:\Python38'.
2025-12-09 07:39:39,983 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:39,983 [root] DEBUG: 1260: Dropped file limit defaulting to 100.
2025-12-09 07:39:39,983 [root] DEBUG: 1260: Services hook set enabled
2025-12-09 07:39:39,983 [root] DEBUG: 1260: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:39:39,983 [root] DEBUG: 1260: GetAddressByYara: ModuleBase 0x00007FF8E5730000 FunctionName RtlInsertInvertedFunctionTable
2025-12-09 07:39:39,998 [root] DEBUG: 1260: RtlInsertInvertedFunctionTable 0x00007FF8E575BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FF8E58B70F0
2025-12-09 07:39:39,998 [root] DEBUG: 1260: AmsiDumper initialised.
2025-12-09 07:39:39,998 [root] DEBUG: 1260: Monitor initialised: 64-bit capemon loaded in process 1260 at 0x00007FF8B7F50000, thread 3964, image base 0x00007FF74CCC0000, stack from 0x000000222E876000-0x000000222E880000
2025-12-09 07:39:39,998 [root] DEBUG: 1260: Commandline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
2025-12-09 07:39:39,998 [root] DEBUG: 1260: hook_api: Warning - CoCreateInstance export address 0x00007FF8E4157EF9 differs from GetProcAddress -> 0x00007FF8E4CA2050 (combase.dll::0x42050)
2025-12-09 07:39:39,998 [root] DEBUG: 1260: hook_api: Warning - CoCreateInstanceEx export address 0x00007FF8E4157F38 differs from GetProcAddress -> 0x00007FF8E4C7CC40 (combase.dll::0x1cc40)
2025-12-09 07:39:39,998 [root] DEBUG: 1260: hook_api: Warning - CoGetClassObject export address 0x00007FF8E41584C8 differs from GetProcAddress -> 0x00007FF8E4D29870 (combase.dll::0xc9870)
2025-12-09 07:39:39,998 [root] DEBUG: 1260: Hooked 69 out of 69 functions
2025-12-09 07:39:39,998 [root] INFO: Loaded monitor into process with pid 1260
2025-12-09 07:39:39,998 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:39:39,998 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:39:39,998 [lib.api.process] INFO: Injected into 64-bit <Process 1260 svchost.exe>
2025-12-09 07:39:42,029 [root] DEBUG: 4360: DLL loaded at 0x76E50000: C:\Windows\System32\clbcatq (0x82000 bytes).
2025-12-09 07:39:42,029 [root] DEBUG: 4360: DLL loaded at 0x6F110000: C:\Windows\System32\taskschd (0x82000 bytes).
2025-12-09 07:39:42,045 [root] DEBUG: 4360: NtTerminateProcess hook: Attempting to dump process 4360
2025-12-09 07:39:42,045 [root] DEBUG: 4360: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:39:42,045 [root] INFO: Process with pid 4360 has terminated
2025-12-09 07:39:42,045 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp to files\de02668b6ba24cc86efcf585ab1085b3350a5ef37dcb03a37c857bedd02a3854; Size is 1637; Max size: 100000000
2025-12-09 07:39:42,045 [root] DEBUG: 6568: CreateProcessHandler: Injection info set for new process 6320: C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe, ImageBase: 0x00DB0000
2025-12-09 07:39:42,045 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,061 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,061 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,061 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,061 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,076 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,076 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,076 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,076 [root] DEBUG: 6568: WriteMemoryHandler: Executable binary injected into process 6320 (ImageBase 0x400000)
2025-12-09 07:39:42,076 [root] DEBUG: 6568: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6568)
2025-12-09 07:39:42,076 [root] DEBUG: 6568: DumpPE: Instantiating PeParser with address: 0x05FF9E70.
2025-12-09 07:39:42,092 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_66044042390103122025 to CAPE\b91307eeae6495cc3202fb1ec39e3f58534be4b1a60795d0b31fd52c76f040d4; Size is 221696; Max size: 100000000
2025-12-09 07:39:42,092 [root] DEBUG: 6568: DumpPE: PE file at 0x05FF9E70 dumped successfully - dump size 0x36200.
2025-12-09 07:39:42,092 [root] DEBUG: 6568: WriteMemoryHandler: Dumped PE image from buffer at 0x5ff9e70, SizeOfImage 0x3c000.
2025-12-09 07:39:42,092 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,108 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,108 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,108 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,108 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,108 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,108 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,108 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,108 [root] DEBUG: 6568: WriteMemoryHandler: shellcode at 0x060EF6B0 (size 0x35800) injected into process 6320.
2025-12-09 07:39:42,123 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_331063242390103122025 to CAPE\32cf2c0a9fe2ccdeb8ae0dde5568ee98bf99d04d2dd24d89d86cc7d8a397508a; Size is 219043; Max size: 100000000
2025-12-09 07:39:42,139 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_331063242390103122025 (size 219043 bytes)
2025-12-09 07:39:42,139 [root] DEBUG: 6568: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-12-09 07:39:42,139 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,186 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,186 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,186 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,186 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,186 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,186 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,186 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,186 [root] DEBUG: 6568: WriteMemoryHandler: shellcode at 0x050F77A4 (size 0x600) injected into process 6320.
2025-12-09 07:39:42,186 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_370995642390103122025 to CAPE\79b5e149f01cb3e0a1957f756a1b11167e8478bdb5358110c5661fe53f9519ed; Size is 1354; Max size: 100000000
2025-12-09 07:39:42,201 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_370995642390103122025 (size 1354 bytes)
2025-12-09 07:39:42,201 [root] DEBUG: 6568: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-12-09 07:39:42,201 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,201 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,201 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,217 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,217 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,217 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,217 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,217 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,217 [root] DEBUG: 6568: WriteMemoryHandler: shellcode at 0x050F7DB0 (size 0x200) injected into process 6320.
2025-12-09 07:39:42,232 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_149990442390103122025 to CAPE\091545e6a05c1ebb529baafe2a5e312b4702fde4e138e8c96c264d2b21a030c1; Size is 10; Max size: 100000000
2025-12-09 07:39:42,248 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_149990442390103122025 (size 10 bytes)
2025-12-09 07:39:42,248 [root] DEBUG: 6568: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-12-09 07:39:42,248 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,248 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,248 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,248 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,248 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,248 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,248 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,248 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,248 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,248 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,248 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,264 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,264 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,264 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,264 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,264 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,264 [root] DEBUG: 6568: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0003779E (process 6320).
2025-12-09 07:39:42,264 [root] INFO: Announced 32-bit process name: BL 216238068 DOCS.exe pid: 6320
2025-12-09 07:39:42,264 [lib.api.process] INFO: Monitor config for <Process 6320 BL 216238068 DOCS.exe>: C:\tmpuce0d7me\dll\6320.ini
2025-12-09 07:39:42,264 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:39:42,279 [root] DEBUG: Loader: Injecting process 6320 (thread 2132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,279 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2025-12-09 07:39:42,279 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2025-12-09 07:39:42,279 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:39:42,279 [lib.api.process] INFO: Injected into 32-bit <Process 6320 BL 216238068 DOCS.exe>
2025-12-09 07:39:42,295 [root] DEBUG: 6568: .NET JIT native cache at 0x09900000: scans and dumps active.
2025-12-09 07:39:42,295 [root] DEBUG: 6320: Python path set to 'C:\Python38'.
2025-12-09 07:39:42,295 [root] DEBUG: 6568: caller_dispatch: Added region at 0x09900000 to tracked regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x09900D10, thread 1324).
2025-12-09 07:39:42,295 [root] DEBUG: 6320: Dropped file limit defaulting to 100.
2025-12-09 07:39:42,295 [root] DEBUG: 6568: ProcessTrackedRegion: .NET cache region at 0x09900000 skipped
2025-12-09 07:39:42,311 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:42,311 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Roaming\WFinHcUy.exe
2025-12-09 07:39:42,311 [root] DEBUG: 6320: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:39:42,311 [root] DEBUG: 6568: NtTerminateProcess hook: Attempting to dump process 6568
2025-12-09 07:39:42,311 [root] DEBUG: 6320: YaraScan: Scanning 0x00400000, size 0x3a00a
2025-12-09 07:39:42,311 [root] DEBUG: 6568: VerifyCodeSection: Executable code does not match, 0x0 of 0x14c00 matching
2025-12-09 07:39:42,311 [root] DEBUG: 6320: CAPE_init: Main executable image temporarily remapped for scanning at 0x04AE0000
2025-12-09 07:39:42,311 [root] DEBUG: 6568: DoProcessDump: Code modification detected, dumping Imagebase at 0x001B0000.
2025-12-09 07:39:42,311 [root] DEBUG: 6568: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-12-09 07:39:42,311 [root] DEBUG: 6320: YaraScan: Scanning 0x04AE0000, size 0x3bfff
2025-12-09 07:39:42,311 [root] DEBUG: 6568: DumpProcess: Instantiating PeParser with address: 0x001B0000.
2025-12-09 07:39:42,311 [root] DEBUG: 6320: AmsiDumper initialised.
2025-12-09 07:39:42,311 [root] DEBUG: 6568: DumpProcess: Module entry point VA is 0x000C600A.
2025-12-09 07:39:42,311 [root] DEBUG: 6320: Monitor initialised: 32-bit capemon loaded in process 6320 at 0x74fc0000, thread 2132, image base 0x400000, stack from 0x12f6000-0x1300000
2025-12-09 07:39:42,311 [root] DEBUG: 6568: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x001B2000, section 1
2025-12-09 07:39:42,311 [root] DEBUG: 6320: Commandline: "{path}"
2025-12-09 07:39:42,327 [root] DEBUG: 6568: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x001C8000, section 2
2025-12-09 07:39:42,327 [root] DEBUG: 6320: GetAddressByYara: ModuleBase 0x77AF0000 FunctionName LdrpCallInitRoutine
2025-12-09 07:39:42,327 [root] DEBUG: 6568: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00274000, section 4
2025-12-09 07:39:42,327 [root] DEBUG: 6320: hook_api: LdrpCallInitRoutine export address 0x77B666A0 obtained via GetFunctionAddress
2025-12-09 07:39:42,327 [root] DEBUG: 6320: hook_api: Warning - CreateRemoteThreadEx export address 0x75FC9A4C differs from GetProcAddress -> 0x76FFDDB0 (KERNELBASE.dll::0x11ddb0)
2025-12-09 07:39:42,327 [root] DEBUG: 6320: hook_api: Warning - CoCreateInstance export address 0x77890FEB differs from GetProcAddress -> 0x7724FF70 (combase.dll::0xdff70)
2025-12-09 07:39:42,327 [root] DEBUG: 6320: hook_api: Warning - CoCreateInstanceEx export address 0x7789102A differs from GetProcAddress -> 0x7729CCF0 (combase.dll::0x12ccf0)
2025-12-09 07:39:42,327 [root] DEBUG: 6320: hook_api: Warning - CoGetClassObject export address 0x778915BA differs from GetProcAddress -> 0x77212BD0 (combase.dll::0xa2bd0)
2025-12-09 07:39:42,327 [root] DEBUG: 6320: hook_api: Warning - UpdateProcThreadAttribute export address 0x75FD18BA differs from GetProcAddress -> 0x7702BD10 (KERNELBASE.dll::0x14bd10)
2025-12-09 07:39:42,327 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_872272542390103122025 to procdump\df8f0a627883ee8203023607e4ecc930bb806d8be420d887216b3d779adabeed; Size is 6144; Max size: 100000000
2025-12-09 07:39:42,342 [root] DEBUG: 6568: DumpProcess: Module image dump success - dump size 0x1800.
2025-12-09 07:39:42,342 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:39:42,342 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x04E10000.
2025-12-09 07:39:42,342 [root] DEBUG: 6320: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:39:42,342 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:39:42,342 [root] DEBUG: 6320: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:39:42,342 [root] DEBUG: 6320: hook_api: Warning - CLSIDFromProgID export address 0x77890824 differs from GetProcAddress -> 0x771E54C0 (combase.dll::0x754c0)
2025-12-09 07:39:42,342 [root] DEBUG: 6320: hook_api: Warning - CLSIDFromProgIDEx export address 0x77890861 differs from GetProcAddress -> 0x771DFF40 (combase.dll::0x6ff40)
2025-12-09 07:39:42,342 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_376747242390103122025 to CAPE\b738c63f62b0665335dad1fe0c1e0715a40ce64c36a5c292a82d5cedfc04a9f1; Size is 65483; Max size: 100000000
2025-12-09 07:39:42,342 [root] DEBUG: 6320: Hooked 611 out of 613 functions
2025-12-09 07:39:42,342 [root] DEBUG: 6320: Syscall hook installed, syscall logging level 1
2025-12-09 07:39:42,342 [root] DEBUG: 6320: WoW64fix: Windows version 6.2 not supported.
2025-12-09 07:39:42,342 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_376747242390103122025 (size 65483 bytes)
2025-12-09 07:39:42,342 [root] INFO: Loaded monitor into process with pid 6320
2025-12-09 07:39:42,342 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x07410000.
2025-12-09 07:39:42,342 [root] DEBUG: 6320: caller_dispatch: Added region at 0x00F50000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00F5003A, thread 2132).
2025-12-09 07:39:42,342 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x00F50000 - 0x00F5012C.
2025-12-09 07:39:42,342 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x12c bytes
2025-12-09 07:39:42,342 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_867688242390103122025 to CAPE\9fb211bfda108a6b52f76ddf012a7f2a1e0f04b8b6ebc78232b50e10f51fe0ed; Size is 65502; Max size: 100000000
2025-12-09 07:39:42,357 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_931847442390103122025 to CAPE\a72df58c7eda286016f4d278e3366fd188ecc7602a1c9ccbd922590edfc0a6ec; Size is 300; Max size: 100000000
2025-12-09 07:39:42,357 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_867688242390103122025 (size 65502 bytes)
2025-12-09 07:39:42,357 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x078E0000.
2025-12-09 07:39:42,357 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_931847442390103122025 (size 300 bytes)
2025-12-09 07:39:42,357 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x00F50000, size 4096 bytes.
2025-12-09 07:39:42,357 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_320943042390103122025 to CAPE\a6b78b2a8cad3660b401f372a4b952e51863c7d583f69956f4b3a2c381be325c; Size is 65425; Max size: 100000000
2025-12-09 07:39:42,357 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x00F50000.
2025-12-09 07:39:42,357 [root] DEBUG: 6320: YaraScan: Scanning 0x00F50000, size 0x12c
2025-12-09 07:39:42,357 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_320943042390103122025 (size 65425 bytes)
2025-12-09 07:39:42,357 [root] DEBUG: 6320: caller_dispatch: Added region at 0x00F60000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00F6003A, thread 2132).
2025-12-09 07:39:42,357 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x07910000.
2025-12-09 07:39:42,357 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x00F60000 - 0x00F6012C.
2025-12-09 07:39:42,357 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x12c bytes
2025-12-09 07:39:42,357 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_407372742390103122025 to CAPE\2d9c4de077cfbd2870bb63e89a335b269631d66a12cd2e6516e78895e766d1c8; Size is 65499; Max size: 100000000
2025-12-09 07:39:42,357 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_704539542390103122025 to CAPE\6d5379d91d62ccb43b1377643b3040ce6208740adf893205ed17c436395f4440; Size is 300; Max size: 100000000
2025-12-09 07:39:42,357 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_407372742390103122025 (size 65499 bytes)
2025-12-09 07:39:42,357 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_704539542390103122025 (size 300 bytes)
2025-12-09 07:39:42,357 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x07940000.
2025-12-09 07:39:42,357 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x00F60000, size 4096 bytes.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x00F60000.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: YaraScan: Scanning 0x00F60000, size 0x12c
2025-12-09 07:39:42,373 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_997565142390103122025 to CAPE\05da8891dca7ed371891f50ebbdaa0551481408b1849d3d65fb7c96d917b3c5f; Size is 65483; Max size: 100000000
2025-12-09 07:39:42,373 [root] DEBUG: 6320: caller_dispatch: Added region at 0x00F70000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00F7003A, thread 2132).
2025-12-09 07:39:42,373 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x00F70000 - 0x00F7012C.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x12c bytes
2025-12-09 07:39:42,373 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_997565142390103122025 (size 65483 bytes)
2025-12-09 07:39:42,373 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x07950000.
2025-12-09 07:39:42,373 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_1122991142390103122025 to CAPE\0a128b070da7601d15f9e4c66efc4c06ddf042d029d0217c1184ae1d6687a519; Size is 300; Max size: 100000000
2025-12-09 07:39:42,373 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_1122991142390103122025 (size 300 bytes)
2025-12-09 07:39:42,373 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_384600342390103122025 to CAPE\f3269d5525ad2185fa3334b3f3f9b88f6ee110a60c4e855362acc08d11447f70; Size is 65448; Max size: 100000000
2025-12-09 07:39:42,373 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x00F70000, size 4096 bytes.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x00F70000.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: YaraScan: Scanning 0x00F70000, size 0x12c
2025-12-09 07:39:42,373 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_384600342390103122025 (size 65448 bytes)
2025-12-09 07:39:42,373 [root] DEBUG: 6320: caller_dispatch: Added region at 0x00F80000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00F8003A, thread 2132).
2025-12-09 07:39:42,373 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x079A0000.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x00F80000 - 0x00F8012C.
2025-12-09 07:39:42,373 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x12c bytes
2025-12-09 07:39:42,373 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_50205842390103122025 to CAPE\92e2153de898e78c7db4d1f8f7106549083eed8ee48b9b9363a32b8fcd71f2d6; Size is 65444; Max size: 100000000
2025-12-09 07:39:42,373 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_287023542390103122025 to CAPE\894615767dfb4be4309f4220814cb2b1ead2548235f6fbfca2c39a7dd03861a4; Size is 300; Max size: 100000000
2025-12-09 07:39:42,373 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_50205842390103122025 (size 65444 bytes)
2025-12-09 07:39:42,373 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_287023542390103122025 (size 300 bytes)
2025-12-09 07:39:42,373 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x09900000.
2025-12-09 07:39:42,389 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x00F80000, size 4096 bytes.
2025-12-09 07:39:42,389 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x00F80000.
2025-12-09 07:39:42,389 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6568_1159570142390103122025 to CAPE\8b1dbe729e615a4f51a1b08661b54713fa037a1869dea9ce762172d9e74b288c; Size is 11380; Max size: 100000000
2025-12-09 07:39:42,389 [root] DEBUG: 6320: YaraScan: Scanning 0x00F80000, size 0x12c
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6568_1159570142390103122025 (size 11380 bytes)
2025-12-09 07:39:42,389 [root] DEBUG: 6320: caller_dispatch: Added region at 0x00F90000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00F9003A, thread 2132).
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x09D50000.
2025-12-09 07:39:42,389 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x00F90000 - 0x00F9012C.
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpMemory: Dump at 0x09D50000 skipped due to dump limit 10
2025-12-09 07:39:42,389 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x12c bytes
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET image at 0x09DA0000.
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpImageInCurrentProcess: Dump at 0x09DA0000 skipped due to dump limit 10
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET JIT native cache at 0x09E80000.
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpMemory: Dump at 0x09E80000 skipped due to dump limit 10
2025-12-09 07:39:42,389 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_948576542390103122025 to CAPE\0b884ebdf8179a3cacebf7119873f4828ea6ec5f69c0afacb26eb4fd475e73b4; Size is 300; Max size: 100000000
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET image at 0x0A570000.
2025-12-09 07:39:42,389 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_948576542390103122025 (size 300 bytes)
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpImageInCurrentProcess: Dump at 0x0A570000 skipped due to dump limit 10
2025-12-09 07:39:42,389 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x00F90000, size 4096 bytes.
2025-12-09 07:39:42,389 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x00F90000.
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpInterestingRegions: Dumping .NET image at 0x0CB80000.
2025-12-09 07:39:42,389 [root] DEBUG: 6320: YaraScan: Scanning 0x00F90000, size 0x12c
2025-12-09 07:39:42,389 [root] DEBUG: 6568: DumpImageInCurrentProcess: Dump at 0x0CB80000 skipped due to dump limit 10
2025-12-09 07:39:42,404 [root] DEBUG: 6320: caller_dispatch: Added region at 0x00FA0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00FA003A, thread 2132).
2025-12-09 07:39:42,404 [root] DEBUG: 6568: DumpRegion: Dump at 0x7EF60000 skipped due to dump limit 10
2025-12-09 07:39:42,404 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x00FA0000 - 0x00FA012C.
2025-12-09 07:39:42,404 [root] DEBUG: 6568: ProcessTrackedRegion: Failed to dump region at 0x7EF60000.
2025-12-09 07:39:42,404 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x12c bytes
2025-12-09 07:39:42,404 [root] INFO: Process with pid 6568 has terminated
2025-12-09 07:39:42,404 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_564307242390103122025 to CAPE\c7b4888c4b69dd92ad172cdfbf1b4ed2ee5b714ecf0f627878dd4888fe7d19ae; Size is 300; Max size: 100000000
2025-12-09 07:39:42,420 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_564307242390103122025 (size 300 bytes)
2025-12-09 07:39:42,420 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x00FA0000, size 4096 bytes.
2025-12-09 07:39:42,420 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x00FA0000.
2025-12-09 07:39:42,420 [root] DEBUG: 6320: YaraScan: Scanning 0x00FA0000, size 0x12c
2025-12-09 07:39:42,420 [root] DEBUG: 6320: DLL loaded at 0x74F00000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x88000 bytes).
2025-12-09 07:39:42,420 [root] DEBUG: 6320: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:39:42,436 [root] DEBUG: 6320: DLL loaded at 0x755C0000: C:\Windows\SYSTEM32\kernel.appcore (0x13000 bytes).
2025-12-09 07:39:42,436 [root] DEBUG: 6320: DLL loaded at 0x753A0000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2025-12-09 07:39:42,436 [root] DEBUG: 6320: DLL loaded at 0x74E40000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xb3000 bytes).
2025-12-09 07:39:42,436 [root] DEBUG: 6320: DLL loaded at 0x753B0000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x15000 bytes).
2025-12-09 07:39:42,436 [root] DEBUG: 6320: DLL loaded at 0x728E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x7bc000 bytes).
2025-12-09 07:39:42,452 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x03263000, size: 0x1000.
2025-12-09 07:39:42,467 [root] DEBUG: 6320: GetEntropy: Error - Supplied address inaccessible: 0x03260000
2025-12-09 07:39:42,467 [root] DEBUG: 6320: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:42,498 [root] DEBUG: 6320: InstrumentationCallback: Added region at 0x76EE0000 to tracked regions list (thread 2132).
2025-12-09 07:39:42,514 [root] DEBUG: 6320: api-rate-cap: NtQueryPerformanceCounter hook disabled due to rate
2025-12-09 07:39:42,514 [root] DEBUG: 6320: DLL loaded at 0x71490000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni (0x144c000 bytes).
2025-12-09 07:39:42,514 [root] DEBUG: 6320: DLL loaded at 0x77560000: C:\Windows\System32\bcryptPrimitives (0x62000 bytes).
2025-12-09 07:39:42,514 [root] DEBUG: 6320: DLL loaded at 0x753D0000: C:\Windows\system32\uxtheme (0x7f000 bytes).
2025-12-09 07:39:42,514 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x04B60000, size: 0x1000.
2025-12-09 07:39:42,545 [root] DEBUG: 6320: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:42,561 [root] DEBUG: 6320: AllocationHandler: Processing previous tracked region at: 0x03260000.
2025-12-09 07:39:42,561 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x03260000 - 0x03260015.
2025-12-09 07:39:42,561 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x15 bytes
2025-12-09 07:39:42,561 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_854795742391592122025 to CAPE\0f6a01074655ce007cbbee8ff6e8934e3e6266b57c69ce25c9a89b2f70e61f36; Size is 21; Max size: 100000000
2025-12-09 07:39:42,576 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_854795742391592122025 (size 21 bytes)
2025-12-09 07:39:42,576 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x03260000, size 4096 bytes.
2025-12-09 07:39:42,592 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x03260000.
2025-12-09 07:39:42,592 [root] DEBUG: 6320: YaraScan: Scanning 0x03260000, size 0x15
2025-12-09 07:39:42,608 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x03295000, size: 0x1000.
2025-12-09 07:39:42,623 [root] DEBUG: 6320: GetEntropy: Error - Supplied address inaccessible: 0x03290000
2025-12-09 07:39:42,623 [root] DEBUG: 6320: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:42,623 [root] DEBUG: 6320: AllocationHandler: Processing previous tracked region at: 0x04B60000.
2025-12-09 07:39:42,623 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x04B60000 - 0x04B60112.
2025-12-09 07:39:42,623 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x112 bytes
2025-12-09 07:39:42,623 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_181542242391592122025 to CAPE\04d196f249f6a31f6e32efddee9d4739fd626f358832767c627bb1f2acedf7be; Size is 274; Max size: 100000000
2025-12-09 07:39:42,639 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_181542242391592122025 (size 274 bytes)
2025-12-09 07:39:42,639 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x04B60000, size 4096 bytes.
2025-12-09 07:39:42,639 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x04B60000.
2025-12-09 07:39:42,654 [root] DEBUG: 6320: YaraScan: Scanning 0x04B60000, size 0x112
2025-12-09 07:39:42,654 [root] DEBUG: 6320: AllocationHandler: Allocation already in tracked region list: 0x03290000.
2025-12-09 07:39:42,654 [root] DEBUG: 6320: AllocationHandler: Allocation already in tracked region list: 0x03290000.
2025-12-09 07:39:42,670 [root] DEBUG: 6320: DLL loaded at 0x75E70000: C:\Windows\System32\OLEAUT32 (0x9c000 bytes).
2025-12-09 07:39:42,670 [root] DEBUG: 6320: hook_api: clrjit::compileMethod export address 0x7463A700 obtained via GetFunctionAddress
2025-12-09 07:39:42,686 [root] DEBUG: 6320: DLL loaded at 0x74620000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7e000 bytes).
2025-12-09 07:39:42,701 [root] DEBUG: 6320: DLL loaded at 0x709A0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\5380d2b417dae69a597fcfb16c76a7b7\System.ni (0xa1c000 bytes).
2025-12-09 07:39:42,701 [root] DEBUG: 6320: .NET JIT native cache at 0x04B60000: scans and dumps active.
2025-12-09 07:39:42,717 [root] DEBUG: 6320: YaraScan hit: AgentTeslaV3JIT
2025-12-09 07:39:42,717 [root] DEBUG: 6320: Config: bp0 set to 0x0000004E.
2025-12-09 07:39:42,717 [root] DEBUG: 6320: Config: Trace instruction count set to 0x0
2025-12-09 07:39:42,717 [root] DEBUG: 6320: Config: Action0 set to string:eax+8.
2025-12-09 07:39:42,717 [root] DEBUG: 6320: Config: typestring set to AgentTesla Strings
2025-12-09 07:39:42,717 [root] DEBUG: 6320: Config: Debugger log diverted.
2025-12-09 07:39:42,717 [root] DEBUG: 6320: SetInitialBreakpoints: Breakpoint 0 set on address 0x04B61F6E (RVA 0x4e, type 0, hit count 0, thread 2132)
2025-12-09 07:39:42,733 [root] DEBUG: 6320: StringsOutput: Output file C:\EXMiUAlFU\CAPE\6320.txt.
2025-12-09 07:39:42,795 [root] DEBUG: 6320: DLL loaded at 0x70180000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\53a9cd078a677c9b2820831d13828801\System.Core.ni (0x818000 bytes).
2025-12-09 07:39:42,795 [root] DEBUG: 6320: DLL loaded at 0x74510000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\7ca34fb9f713c597d60f034e09f5da28\System.Configuration.ni (0x105000 bytes).
2025-12-09 07:39:42,811 [root] DEBUG: 6320: DLL loaded at 0x6FA10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\dbbfe4100fa444758f5b90b58d6b6cd2\System.Xml.ni (0x76c000 bytes).
2025-12-09 07:39:42,826 [root] DEBUG: 6320: DLL loaded at 0x765D0000: C:\Windows\System32\shell32 (0x697000 bytes).
2025-12-09 07:39:42,826 [root] DEBUG: 6320: DLL loaded at 0x752D0000: C:\Windows\SYSTEM32\wintypes (0xc7000 bytes).
2025-12-09 07:39:42,826 [root] DEBUG: 6320: DLL loaded at 0x746A0000: C:\Windows\SYSTEM32\windows.storage (0x6ec000 bytes).
2025-12-09 07:39:42,858 [root] DEBUG: 6320: DLL loaded at 0x77700000: C:\Windows\System32\SHCORE (0xc1000 bytes).
2025-12-09 07:39:42,858 [root] DEBUG: 6320: DLL loaded at 0x744F0000: C:\Windows\SYSTEM32\profapi (0x1d000 bytes).
2025-12-09 07:39:42,889 [root] DEBUG: 6320: DLL loaded at 0x74DF0000: C:\Windows\SYSTEM32\CRYPTSP (0x15000 bytes).
2025-12-09 07:39:42,889 [root] DEBUG: 6320: DLL loaded at 0x74DC0000: C:\Windows\system32\rsaenh (0x30000 bytes).
2025-12-09 07:39:42,905 [root] DEBUG: 6320: DLL loaded at 0x77920000: C:\Windows\System32\MSCTF (0xfc000 bytes).
2025-12-09 07:39:49,255 [root] DEBUG: 6320: DLL loaded at 0x75AE0000: C:\Windows\System32\psapi (0x6000 bytes).
2025-12-09 07:39:49,271 [root] DEBUG: 6320: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2025-12-09 07:39:49,302 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 1544 (handle 0x47c).
2025-12-09 07:39:49,302 [lib.api.process] INFO: Monitor config for <Process 4052 svchost.exe>: C:\tmpuce0d7me\dll\4052.ini
2025-12-09 07:39:49,318 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:39:49,350 [root] DEBUG: Loader: Injecting process 4052 with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:39:49,365 [root] DEBUG: 4052: Python path set to 'C:\Python38'.
2025-12-09 07:39:49,365 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:49,381 [root] DEBUG: 4052: Dropped file limit defaulting to 100.
2025-12-09 07:39:49,381 [root] DEBUG: 4052: Services hook set enabled
2025-12-09 07:39:49,381 [root] DEBUG: 4052: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:39:49,381 [root] DEBUG: 4052: GetAddressByYara: ModuleBase 0x00007FF8E5730000 FunctionName RtlInsertInvertedFunctionTable
2025-12-09 07:39:49,396 [root] DEBUG: 4052: RtlInsertInvertedFunctionTable 0x00007FF8E575BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FF8E58B70F0
2025-12-09 07:39:49,396 [root] DEBUG: 4052: AmsiDumper initialised.
2025-12-09 07:39:49,412 [root] DEBUG: 4052: Monitor initialised: 64-bit capemon loaded in process 4052 at 0x00007FF8B7F50000, thread 6208, image base 0x00007FF74CCC0000, stack from 0x000000ACA7AF5000-0x000000ACA7B00000
2025-12-09 07:39:49,412 [root] DEBUG: 4052: Commandline: C:\Windows\system32\svchost.exe -k netsvcs -p
2025-12-09 07:39:49,427 [root] DEBUG: 4052: hook_api: Warning - CoCreateInstance export address 0x00007FF8E4157EF9 differs from GetProcAddress -> 0x00007FF8E4CA2050 (combase.dll::0x42050)
2025-12-09 07:39:49,427 [root] DEBUG: 4052: hook_api: Warning - CoCreateInstanceEx export address 0x00007FF8E4157F38 differs from GetProcAddress -> 0x00007FF8E4C7CC40 (combase.dll::0x1cc40)
2025-12-09 07:39:49,427 [root] DEBUG: 4052: hook_api: Warning - CoGetClassObject export address 0x00007FF8E41584C8 differs from GetProcAddress -> 0x00007FF8E4D29870 (combase.dll::0xc9870)
2025-12-09 07:39:49,443 [root] DEBUG: 4052: Hooked 69 out of 69 functions
2025-12-09 07:39:49,443 [root] INFO: Loaded monitor into process with pid 4052
2025-12-09 07:39:49,443 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:39:49,443 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:39:49,490 [lib.api.process] INFO: Injected into 64-bit <Process 4052 svchost.exe>
2025-12-09 07:39:51,507 [root] DEBUG: 6320: DLL loaded at 0x76E50000: C:\Windows\System32\clbcatq (0x82000 bytes).
2025-12-09 07:39:51,523 [root] DEBUG: 6320: DLL loaded at 0x74430000: C:\Windows\SYSTEM32\wbemcomn (0x67000 bytes).
2025-12-09 07:39:51,523 [root] DEBUG: 6320: DLL loaded at 0x744A0000: C:\Windows\system32\wbem\wbemdisp (0x42000 bytes).
2025-12-09 07:39:51,539 [root] DEBUG: 6320: DLL loaded at 0x74E30000: C:\Windows\system32\wbem\wbemprox (0xe000 bytes).
2025-12-09 07:39:51,554 [root] DEBUG: 6320: DLL loaded at 0x74410000: C:\Windows\system32\wbem\wmiutils (0x1e000 bytes).
2025-12-09 07:39:51,601 [root] DEBUG: 6320: DLL loaded at 0x743F0000: C:\Windows\system32\wbem\wbemsvc (0x11000 bytes).
2025-12-09 07:39:51,648 [root] DEBUG: 6320: DLL loaded at 0x74320000: C:\Windows\system32\wbem\fastprox (0xcc000 bytes).
2025-12-09 07:39:51,679 [root] DEBUG: 6320: DLL loaded at 0x74300000: C:\Windows\SYSTEM32\amsi (0x15000 bytes).
2025-12-09 07:39:51,695 [root] DEBUG: 6320: DLL loaded at 0x742D0000: C:\Windows\SYSTEM32\USERENV (0x24000 bytes).
2025-12-09 07:39:51,695 [root] DEBUG: 6320: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:39:51,711 [root] DEBUG: 6320: DLL loaded at 0x74260000: C:\Program Files (x86)\Windows Defender\MpOav (0x6b000 bytes).
2025-12-09 07:39:51,726 [root] DEBUG: 6320: DLL loaded at 0x741D0000: C:\Windows\SYSTEM32\sxs (0x85000 bytes).
2025-12-09 07:39:59,887 [root] DEBUG: 6320: DLL loaded at 0x741B0000: C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x19000 bytes).
2025-12-09 07:39:59,903 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x079C0000, size: 0x1000.
2025-12-09 07:39:59,903 [root] DEBUG: 6320: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:39:59,903 [root] DEBUG: 6320: AllocationHandler: Processing previous tracked region at: 0x03290000.
2025-12-09 07:39:59,903 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x03290000 - 0x0329008C.
2025-12-09 07:39:59,903 [root] DEBUG: 6320: ScanForDisguisedPE: Size too small: 0x8c bytes
2025-12-09 07:39:59,918 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_196763759391592122025 to CAPE\aa19c7472565d64c2b4d4e39805370d46b76e60a276952cf6c512ebceaa2eece; Size is 140; Max size: 100000000
2025-12-09 07:39:59,934 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_196763759391592122025 (size 140 bytes)
2025-12-09 07:39:59,934 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x03290000, size 4096 bytes.
2025-12-09 07:39:59,934 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x03290000.
2025-12-09 07:39:59,950 [root] DEBUG: 6320: YaraScan: Scanning 0x03290000, size 0x8c
2025-12-09 07:39:59,950 [root] DEBUG: 6320: AllocationHandler: Allocation already in tracked region list: 0x079C0000.
2025-12-09 07:39:59,950 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x0327E000, size: 0x1000.
2025-12-09 07:39:59,950 [root] DEBUG: 6320: AllocationHandler: Processing previous tracked region at: 0x079C0000.
2025-12-09 07:39:59,966 [root] DEBUG: 6320: DumpPEsInRange: Scanning range 0x079C0000 - 0x079C11DC.
2025-12-09 07:39:59,966 [root] DEBUG: 6320: ScanForDisguisedPE: No PE image located in range 0x079C0000-0x079C11DC.
2025-12-09 07:39:59,981 [lib.common.results] INFO: Uploading file C:\EXMiUAlFU\CAPE\6320_600272459391592122025 to CAPE\a077ff34eb7cbcba3610331146e262f5ccd256400fbe94821e0613546d63285a; Size is 4572; Max size: 100000000
2025-12-09 07:39:59,981 [root] DEBUG: 6320: DumpMemory: Payload successfully created: C:\EXMiUAlFU\CAPE\6320_600272459391592122025 (size 4572 bytes)
2025-12-09 07:39:59,981 [root] DEBUG: 6320: DumpRegion: Dumped entire allocation from 0x079C0000, size 8192 bytes.
2025-12-09 07:39:59,981 [root] DEBUG: 6320: ProcessTrackedRegion: Dumped region at 0x079C0000.
2025-12-09 07:39:59,997 [root] DEBUG: 6320: YaraScan: Scanning 0x079C0000, size 0x11dc
2025-12-09 07:39:59,997 [root] DEBUG: 6320: .NET JIT native cache at 0x079D0000: scans and dumps active.
2025-12-09 07:39:59,997 [root] DEBUG: 6320: caller_dispatch: Added region at 0x079D0000 to tracked regions list (ntdll::NtSetInformationThread returns to 0x079D0665, thread 2132).
2025-12-09 07:39:59,997 [root] DEBUG: 6320: ProcessTrackedRegion: .NET cache region at 0x079D0000 skipped
2025-12-09 07:40:00,059 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 4892 (handle 0x540).
2025-12-09 07:40:00,059 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x7EE60000, size: 0x50000.
2025-12-09 07:40:00,075 [root] DEBUG: 6320: GetEntropy: Error - Supplied address inaccessible: 0x7EE60000
2025-12-09 07:40:00,090 [root] DEBUG: 6320: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7EE60000.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AllocationHandler: Previously reserved region at 0x7EE60000, committing at: 0x7EE60000.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AllocationHandler: Allocation already in tracked region list: 0x7EE60000.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AllocationHandler: Allocation already in tracked region list: 0x7EE60000.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AllocationHandler: Adding allocation to tracked region list: 0x7EE50000, size: 0x10000.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: GetEntropy: Error - Supplied address inaccessible: 0x7EE50000
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AddTrackedRegion: GetEntropy failed.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: AllocationHandler: Processing previous tracked region at: 0x7EE60000.
2025-12-09 07:40:00,106 [root] DEBUG: 6320: DumpRegion: Dump at 0x7EE60000 skipped due to dump limit 10
2025-12-09 07:40:00,106 [root] DEBUG: 6320: ProcessTrackedRegion: Failed to dump region at 0x7EE60000.
2025-12-09 07:40:00,122 [root] DEBUG: 6320: YaraScan: Scanning 0x7EE60000, size 0x3c
2025-12-09 07:40:00,122 [root] DEBUG: 6320: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7EE50000.
2025-12-09 07:40:00,122 [root] DEBUG: 6320: AllocationHandler: Previously reserved region at 0x7EE50000, committing at: 0x7EE50000.
2025-12-09 07:40:00,168 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 4176 (handle 0x56c).
2025-12-09 07:40:00,200 [root] DEBUG: 6320: DLL loaded at 0x74180000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x22000 bytes).
2025-12-09 07:40:00,294 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 3188 (handle 0x58c).
2025-12-09 07:40:00,309 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 4456 (handle 0x5a8).
2025-12-09 07:40:02,747 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 4688 (handle 0x5f8).
2025-12-09 07:40:03,246 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 4928 (handle 0x654).
2025-12-09 07:40:03,450 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 5260 (handle 0x67c).
2025-12-09 07:40:03,450 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 5048 (handle 0x684).
2025-12-09 07:40:10,815 [root] DEBUG: 848: CreateProcessHandler: Injection info set for new process 1940: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe, ImageBase: 0x0000000000F00000
2025-12-09 07:40:10,830 [root] INFO: Announced 32-bit process name: FileCoAuth.exe pid: 1940
2025-12-09 07:40:10,830 [lib.api.process] INFO: Monitor config for <Process 1940 FileCoAuth.exe>: C:\tmpuce0d7me\dll\1940.ini
2025-12-09 07:40:10,908 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:40:10,971 [root] DEBUG: Loader: Injecting process 1940 (thread 6660) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:10,971 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:40:11,002 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:11,112 [root] DEBUG: 720: DLL loaded at 0x00007FF8DB060000: C:\Windows\system32\logoncli (0x45000 bytes).
2025-12-09 07:40:11,112 [lib.api.process] INFO: Injected into 32-bit <Process 1940 FileCoAuth.exe>
2025-12-09 07:40:11,143 [root] INFO: Announced 32-bit process name: FileCoAuth.exe pid: 1940
2025-12-09 07:40:11,143 [lib.api.process] INFO: Monitor config for <Process 1940 FileCoAuth.exe>: C:\tmpuce0d7me\dll\1940.ini
2025-12-09 07:40:11,143 [root] DEBUG: 720: DLL loaded at 0x00007FF8E4350000: C:\Windows\System32\WLDAP32 (0x62000 bytes).
2025-12-09 07:40:11,174 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:40:11,205 [root] DEBUG: Loader: Injecting process 1940 (thread 6660) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:11,205 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:40:11,221 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:11,252 [lib.api.process] INFO: Injected into 32-bit <Process 1940 FileCoAuth.exe>
2025-12-09 07:40:11,471 [root] DEBUG: 1940: Python path set to 'C:\Python38'.
2025-12-09 07:40:11,486 [root] DEBUG: 1940: Dropped file limit defaulting to 100.
2025-12-09 07:40:11,533 [root] INFO: Disabling sleep skipping.
2025-12-09 07:40:11,533 [root] DEBUG: 1940: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:40:11,533 [root] DEBUG: 1940: YaraScan: Scanning 0x00F00000, size 0xcb190
2025-12-09 07:40:11,533 [root] DEBUG: 1940: AmsiDumper initialised.
2025-12-09 07:40:11,533 [root] DEBUG: 1940: Monitor initialised: 32-bit capemon loaded in process 1940 at 0x74fc0000, thread 6660, image base 0xf00000, stack from 0x6f6000-0x700000
2025-12-09 07:40:11,549 [root] DEBUG: 1940: Commandline: "C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe" -Embedding
2025-12-09 07:40:11,549 [root] DEBUG: 1940: GetAddressByYara: ModuleBase 0x77AF0000 FunctionName LdrpCallInitRoutine
2025-12-09 07:40:11,565 [root] DEBUG: 1940: hook_api: LdrpCallInitRoutine export address 0x77B666A0 obtained via GetFunctionAddress
2025-12-09 07:40:11,596 [root] DEBUG: 1940: hook_api: Warning - CreateRemoteThreadEx export address 0x75FC9A4C differs from GetProcAddress -> 0x76FFDDB0 (KERNELBASE.dll::0x11ddb0)
2025-12-09 07:40:11,596 [root] DEBUG: 1940: hook_api: Warning - CoCreateInstance export address 0x77890FEB differs from GetProcAddress -> 0x7724FF70 (combase.dll::0xdff70)
2025-12-09 07:40:11,596 [root] DEBUG: 1940: hook_api: Warning - CoCreateInstanceEx export address 0x7789102A differs from GetProcAddress -> 0x7729CCF0 (combase.dll::0x12ccf0)
2025-12-09 07:40:11,596 [root] DEBUG: 1940: hook_api: Warning - CoGetClassObject export address 0x778915BA differs from GetProcAddress -> 0x77212BD0 (combase.dll::0xa2bd0)
2025-12-09 07:40:11,596 [root] DEBUG: 1940: hook_api: Warning - UpdateProcThreadAttribute export address 0x75FD18BA differs from GetProcAddress -> 0x7702BD10 (KERNELBASE.dll::0x14bd10)
2025-12-09 07:40:11,596 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:40:11,627 [root] DEBUG: 1940: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:40:11,627 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:40:11,643 [root] DEBUG: 1940: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:40:11,643 [root] DEBUG: 1940: hook_api: Warning - CLSIDFromProgID export address 0x77890824 differs from GetProcAddress -> 0x771E54C0 (combase.dll::0x754c0)
2025-12-09 07:40:11,643 [root] DEBUG: 1940: hook_api: Warning - CLSIDFromProgIDEx export address 0x77890861 differs from GetProcAddress -> 0x771DFF40 (combase.dll::0x6ff40)
2025-12-09 07:40:11,643 [root] DEBUG: 1940: Hooked 611 out of 613 functions
2025-12-09 07:40:11,643 [root] DEBUG: 1940: Syscall hook installed, syscall logging level 1
2025-12-09 07:40:11,643 [root] DEBUG: 1940: WoW64fix: Windows version 10.0 not supported.
2025-12-09 07:40:11,658 [root] INFO: Loaded monitor into process with pid 1940
2025-12-09 07:40:11,658 [root] DEBUG: 1940: YaraScan: Scanning 0x73620000, size 0x14b06
2025-12-09 07:40:11,674 [root] DEBUG: 1940: caller_dispatch: Added region at 0x73620000 to tracked regions list (ntdll::LdrLoadDll returns to 0x7362824F, thread 6660).
2025-12-09 07:40:11,674 [root] DEBUG: 1940: caller_dispatch: Scanning calling region at 0x73620000...
2025-12-09 07:40:11,674 [root] DEBUG: 1940: ProcessTrackedRegion: Region at 0x73620000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\vcruntime140.dll, skipping
2025-12-09 07:40:11,690 [root] DEBUG: 1940: YaraScan: Scanning 0x73640000, size 0x6c73e
2025-12-09 07:40:11,690 [root] DEBUG: 1940: YaraScan: Scanning 0x740E0000, size 0x91e24
2025-12-09 07:40:11,690 [root] DEBUG: 1940: YaraScan: Scanning 0x740E0000, size 0x91e24
2025-12-09 07:40:11,690 [root] DEBUG: 1940: YaraScan: Scanning 0x740E0000, size 0x91e24
2025-12-09 07:40:11,705 [root] DEBUG: 1940: caller_dispatch: Added region at 0x73640000 to tracked regions list (ntdll::LdrLoadDll returns to 0x7366BD1E, thread 6660).
2025-12-09 07:40:11,705 [root] DEBUG: 1940: caller_dispatch: Scanning calling region at 0x73640000...
2025-12-09 07:40:11,721 [root] DEBUG: 1940: ProcessTrackedRegion: Region at 0x73640000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\msvcp140.dll, skipping
2025-12-09 07:40:11,721 [root] DEBUG: 1940: DLL loaded at 0x77560000: C:\Windows\System32\bcryptPrimitives (0x62000 bytes).
2025-12-09 07:40:11,721 [root] DEBUG: 1940: InstrumentationCallback: Added region at 0x76EE0000 to tracked regions list (thread 6660).
2025-12-09 07:40:11,721 [root] DEBUG: 1940: YaraScan: Scanning 0x74060000, size 0x759f4
2025-12-09 07:40:11,737 [root] DEBUG: 1940: YaraScan: Scanning 0x6F4A0000, size 0x14d4fc
2025-12-09 07:40:11,752 [root] DEBUG: 1940: YaraScan: Scanning 0x6F4A0000, size 0x14d4fc
2025-12-09 07:40:11,752 [root] DEBUG: 1940: caller_dispatch: Added region at 0x6F4A0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x6F4AEC9B, thread 6660).
2025-12-09 07:40:11,768 [root] DEBUG: 1940: caller_dispatch: Scanning calling region at 0x6F4A0000...
2025-12-09 07:40:11,768 [root] DEBUG: 1940: ProcessTrackedRegion: Region at 0x6F4A0000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\adal.dll, skipping
2025-12-09 07:40:11,768 [root] DEBUG: 1940: YaraScan: Scanning 0x73470000, size 0x7e188
2025-12-09 07:40:11,768 [root] DEBUG: 1940: YaraScan: Scanning 0x6F410000, size 0x80b22
2025-12-09 07:40:11,783 [root] DEBUG: 1940: YaraScan: Scanning 0x6F5F0000, size 0x41ab94
2025-12-09 07:40:11,799 [root] DEBUG: 1940: YaraScan: Scanning 0x6F5F0000, size 0x41ab94
2025-12-09 07:40:11,830 [root] DEBUG: 1940: YaraScan: Scanning 0x6F5F0000, size 0x41ab94
2025-12-09 07:40:11,846 [root] DEBUG: 1940: caller_dispatch: Added region at 0x00F00000 to tracked regions list (ntdll::memcpy returns to 0x00F67BAC, thread 6660).
2025-12-09 07:40:11,862 [root] DEBUG: 1940: YaraScan: Scanning 0x00F00000, size 0xcb190
2025-12-09 07:40:11,862 [root] DEBUG: 1940: ProcessImageBase: Main module image at 0x00F00000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:40:11,862 [root] DEBUG: 1940: caller_dispatch: Added region at 0x740E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x74132B0C, thread 6660).
2025-12-09 07:40:11,862 [root] DEBUG: 1940: ProcessTrackedRegion: Region at 0x740E0000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\LoggingPlatform.dll, skipping
2025-12-09 07:40:11,893 [root] DEBUG: 1940: DLL loaded at 0x74DF0000: C:\Windows\SYSTEM32\CRYPTSP (0x15000 bytes).
2025-12-09 07:40:11,893 [root] DEBUG: 1940: DLL loaded at 0x74DC0000: C:\Windows\system32\rsaenh (0x30000 bytes).
2025-12-09 07:40:11,924 [root] DEBUG: 1940: DLL loaded at 0x752D0000: C:\Windows\SYSTEM32\wintypes (0xc7000 bytes).
2025-12-09 07:40:11,940 [root] DEBUG: 1940: DLL loaded at 0x746A0000: C:\Windows\SYSTEM32\windows.storage (0x6ec000 bytes).
2025-12-09 07:40:11,955 [root] DEBUG: 1940: DLL loaded at 0x77700000: C:\Windows\System32\SHCORE (0xc1000 bytes).
2025-12-09 07:40:11,955 [root] DEBUG: 1940: DLL loaded at 0x744F0000: C:\Windows\SYSTEM32\profapi (0x1d000 bytes).
2025-12-09 07:40:11,987 [root] DEBUG: 1940: DLL loaded at 0x75740000: C:\Windows\SYSTEM32\IPHLPAPI (0x24000 bytes).
2025-12-09 07:40:11,987 [root] DEBUG: 1940: DLL loaded at 0x6F230000: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\OneDriveTelemetryStable (0x1a2000 bytes).
2025-12-09 07:40:11,987 [root] DEBUG: 1940: DLL loaded at 0x6F1B0000: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileSyncTelemetryExtensions (0x71000 bytes).
2025-12-09 07:40:12,033 [root] DEBUG: 1940: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:40:12,033 [root] DEBUG: 1940: DLL loaded at 0x755C0000: C:\Windows\SYSTEM32\kernel.appcore (0x13000 bytes).
2025-12-09 07:40:12,033 [root] DEBUG: 1940: DLL loaded at 0x753D0000: C:\Windows\system32\uxtheme (0x7f000 bytes).
2025-12-09 07:40:12,049 [root] DEBUG: 1940: DLL loaded at 0x76E50000: C:\Windows\System32\clbcatq (0x82000 bytes).
2025-12-09 07:40:12,065 [root] DEBUG: 1940: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:40:12,080 [root] DEBUG: 1940: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:40:12,080 [root] DEBUG: 1940: DLL loaded at 0x6F180000: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuthLib (0x2b000 bytes).
2025-12-09 07:40:18,293 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
2025-12-09 07:40:18,309 [root] DEBUG: 1940: NtTerminateProcess hook: Attempting to dump process 1940
2025-12-09 07:40:18,309 [root] DEBUG: 1940: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:40:18,309 [root] INFO: Process with pid 1940 has terminated
2025-12-09 07:40:20,075 [root] DEBUG: 848: CreateProcessHandler: Injection info set for new process 580: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe, ImageBase: 0x0000000000F00000
2025-12-09 07:40:20,106 [root] INFO: Announced 32-bit process name: FileCoAuth.exe pid: 580
2025-12-09 07:40:20,106 [lib.api.process] INFO: Monitor config for <Process 580 FileCoAuth.exe>: C:\tmpuce0d7me\dll\580.ini
2025-12-09 07:40:20,153 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:40:20,215 [root] DEBUG: Loader: Injecting process 580 (thread 4132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:20,231 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:40:20,247 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:20,372 [lib.api.process] INFO: Injected into 32-bit <Process 580 FileCoAuth.exe>
2025-12-09 07:40:20,403 [root] INFO: Announced 32-bit process name: FileCoAuth.exe pid: 580
2025-12-09 07:40:20,403 [lib.api.process] INFO: Monitor config for <Process 580 FileCoAuth.exe>: C:\tmpuce0d7me\dll\580.ini
2025-12-09 07:40:20,434 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpuce0d7me\dll\WFVXeB.dll, loader C:\tmpuce0d7me\bin\EpgvxWG.exe
2025-12-09 07:40:20,544 [root] DEBUG: Loader: Injecting process 580 (thread 4132) with C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:20,544 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:40:20,559 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\WFVXeB.dll.
2025-12-09 07:40:20,653 [lib.api.process] INFO: Injected into 32-bit <Process 580 FileCoAuth.exe>
2025-12-09 07:40:20,762 [root] DEBUG: 580: Python path set to 'C:\Python38'.
2025-12-09 07:40:20,762 [root] DEBUG: 580: Dropped file limit defaulting to 100.
2025-12-09 07:40:20,778 [root] INFO: Disabling sleep skipping.
2025-12-09 07:40:20,809 [root] DEBUG: 580: YaraInit: Compiled rules loaded from existing file C:\tmpuce0d7me\data\yara\capemon.yac
2025-12-09 07:40:20,809 [root] DEBUG: 580: YaraScan: Scanning 0x00F00000, size 0xcb190
2025-12-09 07:40:20,825 [root] DEBUG: 580: AmsiDumper initialised.
2025-12-09 07:40:20,840 [root] DEBUG: 580: Monitor initialised: 32-bit capemon loaded in process 580 at 0x74fc0000, thread 4132, image base 0xf00000, stack from 0x5356000-0x5360000
2025-12-09 07:40:20,840 [root] DEBUG: 580: Commandline: "C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe" -Embedding
2025-12-09 07:40:20,872 [root] DEBUG: 580: GetAddressByYara: ModuleBase 0x77AF0000 FunctionName LdrpCallInitRoutine
2025-12-09 07:40:20,887 [root] DEBUG: 580: hook_api: LdrpCallInitRoutine export address 0x77B666A0 obtained via GetFunctionAddress
2025-12-09 07:40:20,903 [root] DEBUG: 580: hook_api: Warning - CreateRemoteThreadEx export address 0x75FC9A4C differs from GetProcAddress -> 0x76FFDDB0 (KERNELBASE.dll::0x11ddb0)
2025-12-09 07:40:20,919 [root] DEBUG: 580: hook_api: Warning - CoCreateInstance export address 0x77890FEB differs from GetProcAddress -> 0x7724FF70 (combase.dll::0xdff70)
2025-12-09 07:40:20,934 [root] DEBUG: 580: hook_api: Warning - CoCreateInstanceEx export address 0x7789102A differs from GetProcAddress -> 0x7729CCF0 (combase.dll::0x12ccf0)
2025-12-09 07:40:20,950 [root] DEBUG: 580: hook_api: Warning - CoGetClassObject export address 0x778915BA differs from GetProcAddress -> 0x77212BD0 (combase.dll::0xa2bd0)
2025-12-09 07:40:20,965 [root] DEBUG: 580: hook_api: Warning - UpdateProcThreadAttribute export address 0x75FD18BA differs from GetProcAddress -> 0x7702BD10 (KERNELBASE.dll::0x14bd10)
2025-12-09 07:40:20,981 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:40:20,981 [root] DEBUG: 580: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:40:20,981 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:40:20,997 [root] DEBUG: 580: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:40:21,012 [root] DEBUG: 580: hook_api: Warning - CLSIDFromProgID export address 0x77890824 differs from GetProcAddress -> 0x771E54C0 (combase.dll::0x754c0)
2025-12-09 07:40:21,012 [root] DEBUG: 580: hook_api: Warning - CLSIDFromProgIDEx export address 0x77890861 differs from GetProcAddress -> 0x771DFF40 (combase.dll::0x6ff40)
2025-12-09 07:40:21,028 [root] DEBUG: 580: Hooked 611 out of 613 functions
2025-12-09 07:40:21,028 [root] DEBUG: 580: Syscall hook installed, syscall logging level 1
2025-12-09 07:40:21,044 [root] DEBUG: 580: WoW64fix: Windows version 10.0 not supported.
2025-12-09 07:40:21,044 [root] INFO: Loaded monitor into process with pid 580
2025-12-09 07:40:21,044 [root] DEBUG: 580: YaraScan: Scanning 0x73620000, size 0x14b06
2025-12-09 07:40:21,059 [root] DEBUG: 580: caller_dispatch: Added region at 0x73620000 to tracked regions list (ntdll::LdrLoadDll returns to 0x7362824F, thread 4132).
2025-12-09 07:40:21,075 [root] DEBUG: 580: caller_dispatch: Scanning calling region at 0x73620000...
2025-12-09 07:40:21,075 [root] DEBUG: 580: ProcessTrackedRegion: Region at 0x73620000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\vcruntime140.dll, skipping
2025-12-09 07:40:21,075 [root] DEBUG: 580: YaraScan: Scanning 0x73640000, size 0x6c73e
2025-12-09 07:40:21,090 [root] DEBUG: 580: YaraScan: Scanning 0x740E0000, size 0x91e24
2025-12-09 07:40:21,090 [root] DEBUG: 580: YaraScan: Scanning 0x740E0000, size 0x91e24
2025-12-09 07:40:21,106 [root] DEBUG: 580: YaraScan: Scanning 0x740E0000, size 0x91e24
2025-12-09 07:40:21,137 [root] DEBUG: 580: caller_dispatch: Added region at 0x73640000 to tracked regions list (ntdll::LdrLoadDll returns to 0x7366BD1E, thread 4132).
2025-12-09 07:40:21,153 [root] DEBUG: 580: caller_dispatch: Scanning calling region at 0x73640000...
2025-12-09 07:40:21,169 [root] DEBUG: 580: ProcessTrackedRegion: Region at 0x73640000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\msvcp140.dll, skipping
2025-12-09 07:40:21,200 [root] DEBUG: 580: DLL loaded at 0x77560000: C:\Windows\System32\bcryptPrimitives (0x62000 bytes).
2025-12-09 07:40:21,247 [root] DEBUG: 580: InstrumentationCallback: Added region at 0x76EE0000 to tracked regions list (thread 4132).
2025-12-09 07:40:21,262 [root] DEBUG: 580: YaraScan: Scanning 0x74060000, size 0x759f4
2025-12-09 07:40:21,262 [root] DEBUG: 580: YaraScan: Scanning 0x6F4A0000, size 0x14d4fc
2025-12-09 07:40:21,309 [root] DEBUG: 580: YaraScan: Scanning 0x6F4A0000, size 0x14d4fc
2025-12-09 07:40:21,325 [root] DEBUG: 580: caller_dispatch: Added region at 0x6F4A0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x6F4AEC9B, thread 4132).
2025-12-09 07:40:21,341 [root] DEBUG: 580: caller_dispatch: Scanning calling region at 0x6F4A0000...
2025-12-09 07:40:21,356 [root] DEBUG: 580: ProcessTrackedRegion: Region at 0x6F4A0000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\adal.dll, skipping
2025-12-09 07:40:21,356 [root] DEBUG: 580: YaraScan: Scanning 0x73470000, size 0x7e188
2025-12-09 07:40:21,372 [root] DEBUG: 580: YaraScan: Scanning 0x6F410000, size 0x80b22
2025-12-09 07:40:21,372 [root] DEBUG: 580: YaraScan: Scanning 0x6F5F0000, size 0x41ab94
2025-12-09 07:40:21,403 [root] DEBUG: 580: YaraScan: Scanning 0x6F5F0000, size 0x41ab94
2025-12-09 07:40:21,434 [root] DEBUG: 580: YaraScan: Scanning 0x6F5F0000, size 0x41ab94
2025-12-09 07:40:21,466 [root] DEBUG: 580: caller_dispatch: Added region at 0x00F00000 to tracked regions list (ntdll::memcpy returns to 0x00F67BAC, thread 4132).
2025-12-09 07:40:21,481 [root] DEBUG: 580: YaraScan: Scanning 0x00F00000, size 0xcb190
2025-12-09 07:40:21,497 [root] DEBUG: 580: ProcessImageBase: Main module image at 0x00F00000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:40:21,513 [root] DEBUG: 580: caller_dispatch: Added region at 0x740E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x74132B0C, thread 4132).
2025-12-09 07:40:21,513 [root] DEBUG: 580: ProcessTrackedRegion: Region at 0x740E0000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\LoggingPlatform.dll, skipping
2025-12-09 07:40:21,528 [root] DEBUG: 580: DLL loaded at 0x74DF0000: C:\Windows\SYSTEM32\CRYPTSP (0x15000 bytes).
2025-12-09 07:40:21,543 [root] DEBUG: 580: DLL loaded at 0x74DC0000: C:\Windows\system32\rsaenh (0x30000 bytes).
2025-12-09 07:40:21,590 [root] DEBUG: 580: DLL loaded at 0x752D0000: C:\Windows\SYSTEM32\wintypes (0xc7000 bytes).
2025-12-09 07:40:21,590 [root] DEBUG: 580: DLL loaded at 0x746A0000: C:\Windows\SYSTEM32\windows.storage (0x6ec000 bytes).
2025-12-09 07:40:21,653 [root] DEBUG: 580: DLL loaded at 0x77700000: C:\Windows\System32\SHCORE (0xc1000 bytes).
2025-12-09 07:40:21,700 [root] DEBUG: 580: DLL loaded at 0x744F0000: C:\Windows\SYSTEM32\profapi (0x1d000 bytes).
2025-12-09 07:40:21,763 [root] DEBUG: 580: DLL loaded at 0x75740000: C:\Windows\SYSTEM32\IPHLPAPI (0x24000 bytes).
2025-12-09 07:40:21,793 [root] DEBUG: 580: DLL loaded at 0x6F230000: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\OneDriveTelemetryStable (0x1a2000 bytes).
2025-12-09 07:40:21,825 [root] DEBUG: 580: DLL loaded at 0x6F1B0000: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileSyncTelemetryExtensions (0x71000 bytes).
2025-12-09 07:40:21,840 [root] DEBUG: 580: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:40:21,856 [root] DEBUG: 580: DLL loaded at 0x755C0000: C:\Windows\SYSTEM32\kernel.appcore (0x13000 bytes).
2025-12-09 07:40:21,872 [root] DEBUG: 580: DLL loaded at 0x753D0000: C:\Windows\system32\uxtheme (0x7f000 bytes).
2025-12-09 07:40:21,903 [root] DEBUG: 580: DLL loaded at 0x76E50000: C:\Windows\System32\clbcatq (0x82000 bytes).
2025-12-09 07:40:22,028 [root] DEBUG: 580: api-rate-cap: memcpy hook disabled due to rate
2025-12-09 07:40:22,075 [root] DEBUG: 580: DLL loaded at 0x6F180000: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuthLib (0x2b000 bytes).
2025-12-09 07:40:23,622 [root] INFO: Announced starting service "b'DPS'"
2025-12-09 07:40:23,622 [lib.api.process] INFO: Monitor config for <Process 680 services.exe>: C:\tmpuce0d7me\dll\680.ini
2025-12-09 07:40:23,653 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:40:23,716 [root] DEBUG: Loader: Injecting process 680 with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:40:23,778 [root] DEBUG: Loader: Copied config file C:\tmpuce0d7me\dll\680.ini to system path C:\680.ini
2025-12-09 07:40:28,796 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
2025-12-09 07:40:28,812 [root] DEBUG: 580: NtTerminateProcess hook: Attempting to dump process 580
2025-12-09 07:40:28,812 [root] DEBUG: 580: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:40:28,859 [root] INFO: Process with pid 580 has terminated
2025-12-09 07:40:33,282 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 820 (handle 0x6a0).
2025-12-09 07:40:33,361 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 3828 (handle 0x6a4).
2025-12-09 07:40:43,383 [root] DEBUG: 6320: InitNewThreadBreakpoints: Breakpoints set for thread 2384 (handle 0x578).
2025-12-09 07:40:48,013 [root] DEBUG: Loader: Unable to open process, launched: PPLinject64.exe 680 C:\tmpuce0d7me\dll\uusrbr.dll
2025-12-09 07:40:48,091 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:40:48,263 [lib.api.process] INFO: Injected into 64-bit <Process 680 services.exe>
2025-12-09 07:40:50,672 [root] DEBUG: 1260: CreateProcessHandler: Injection info set for new process 3352: C:\Windows\system32\sc.exe, ImageBase: 0x00007FF6C7E90000
2025-12-09 07:40:50,687 [root] INFO: Announced 64-bit process name: sc.exe pid: 3352
2025-12-09 07:40:50,687 [lib.api.process] INFO: Monitor config for <Process 3352 sc.exe>: C:\tmpuce0d7me\dll\3352.ini
2025-12-09 07:40:50,719 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:40:50,828 [root] DEBUG: Loader: Injecting process 3352 (thread 5504) with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:40:50,875 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:40:50,890 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:40:51,064 [lib.api.process] INFO: Injected into 64-bit <Process 3352 sc.exe>
2025-12-09 07:40:51,080 [root] INFO: Announced 64-bit process name: sc.exe pid: 3352
2025-12-09 07:40:51,080 [lib.api.process] INFO: Monitor config for <Process 3352 sc.exe>: C:\tmpuce0d7me\dll\3352.ini
2025-12-09 07:40:51,221 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpuce0d7me\dll\uusrbr.dll, loader C:\tmpuce0d7me\bin\MSGZtlUS.exe
2025-12-09 07:40:51,253 [root] DEBUG: Loader: Injecting process 3352 (thread 5504) with C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:40:51,315 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-09 07:40:51,331 [root] DEBUG: Successfully injected DLL C:\tmpuce0d7me\dll\uusrbr.dll.
2025-12-09 07:40:51,457 [lib.api.process] INFO: Injected into 64-bit <Process 3352 sc.exe>
Machine
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win11-64bit-tiny-1 | win11-64bit-tiny-1 | KVM | 2025-12-09 15:36:52 | 2025-12-09 15:40:58 |
File Details
| File Name |
BL 216238068 DOCS.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| File Size | 783872 bytes |
| MD5 | ba9c807ba1ef35055af5a4443bacd20b |
| SHA1 | 40f3736780a7d02a5d7edf18a982e4d5ff48d8db |
| SHA256 | 35745f99399f9d2a3cddb1ea463dcfbc8793ad471cb5913354d9a8fcf201c817 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 36036fc5acdf4a800b8d630621c8ee09c99199dae75865d853b87b0e33986d36530fba23bc8e64231fd13037f4075e97 |
| CRC32 | 40570D21 |
| TLSH | T1EAF419BD715472AFC837C1728A945C64F650A8FB630B4A17E4931B9A9D0F4C7EF840BA |
| Ssdeep | 12288:h39PvaeRL7WE3P00c+IpFjsE5e0lZtwQY6hUr36out1QAYe3t6Yuf+afo0QE7T8C:htPy/1QfK6Yufrtj46dP |
| PE DotNET | File Strings BinGraph Vba2Graph |
**2+#R
425A457751344A502F2F2F77496F47
K"K"K"K"K"K"K"K"K"5
K"K"K"K"K"6
@dg aBn<
!|g(y
SezIXj
wYwxi
57524D464B36304542583443
5154425374
ermcH/
O3kW6
,Q3/|
IconSize
`)Gqr
-{nwnE
VX7,f
f8F:a
OpenFileDialog
OriginalFilename
436748
W6(dJ+
|Ysm?
iL3KS
nW:NIrA
ISupportInitialize
DebuggerHiddenAttribute
#Strings
DPI-Werte skaliert wird. WPF-Anwendungen (Windows Presentation Foundation) sind automatisch mit DPI-Werten kompatibel und m
K"K"K"K"K"K"7
`fyd0
S &ME
52426838306B7942544B
|kiCm|
426749454B
o|^b4
eL>GO
4F67496F4451
LfjW7
4367735242534361
LGd\8
6F67474A
&LNZ:[
WSFP5
V+[_\
9https://www.dropbox.com/s/mg7204nq9bccsrq/update.txt?dl=1
42424D47666749
466B54425467352F2F2F2F45515966655A4D67506467
4A4D675A4E49
42485A5852516158686C62
ualgF
set_FormattingEnabled
P1}##
o*IJR
CBN#3
47796F644577553449502F2F2F77
6VMm|
455151674F7749
0i|7]
5753767346
425A45776B3464662F2F2F7749436A6D6B58575A45666347454C48777354435468682F2F2F2F
FjK!B
4B43686B4E4B343447645255
6F4F4253566144675659474630734342384B445467392F2F2F2F45515167567745
6277426B
434467344F4368
624B67
sPbF)
ML5u09t
h4ndcY
n6.Sv3
Y%9Z.
55494367634843
$44#d
Eam,B
[M<Z6
`K_\B>Sug9n
434E4856556C45
^oaSd
cl_{D&L
5171304245
zoGsv
65634243674966
43426C6243566B7943425954425467782F2F2F2F45515967445145
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
System.Windows.Forms.Form
673651
f8C:m
)q[<D
ToolStrip
457745
76646F506D6F6F
514955
1t3|"
wKYr3
5059433367454A
i/mZ}
556E567564476C745A55686C6248426C636E4D
^}G;D<UU_Z)(hD+NezL2mk-c#
K'|/O
4A4D676A6963
wM*?/
425A457755343966372F2F77
g%[[n
h'grY
424851556442524548444277494851554943
n!%_E
6F676B
Y_twbX$
Q/Jx#
%Jg%r
},-5!
ResumeLayout
download
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"5
57524D4E4B356E6347424D51455242464277
72457755524369447A
49444951487A
tJ|Q2k`
42795A584E7664584A6A5A5639755957316C
H`O7{}
707643
DownloadFile
b~s>?
datenladen
*4c60
596D486730727742594B46673072756749445952393757515A68525145
42666E566B5442446A6A2F762F2F4268645943674D6C576777444346674D45515966565A4D676B6855
444239774453444A
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
Reifengr
_E}@Ho
ListBox2
lJpz=
m3fP'm
596D486730727742594B45515167305145
WinForms_SeeInnerException
bo:5k
es-@R
K"K"K"K"K"K"4
#weOQ
ErtpW
4A4D4457534474
(t0kz
6B79437145
4CG|7
dB#Wr
3,~!y
<"^,F_
+E$Kw
43674E
=,wFR{
ProjectData
nyj}Y$m?
{a%}L
hb1o5
bTCI_
6551447A
C}9{M^
DateTime
set_Name
45467A63325674596D7835526D6C735A565A6C636E4E70623235426448527961574A31644755
63674272
get_Controls
0Wj1-'
AC8iV
RZJ9/
<!-- UAC-Manifestoptionen
Laden
/(@+C
\s:WN
oy25=
426E5A58526651323931626E51
424546645145
75336E42567156794F696C6A6D39654768516A67484B366937466D7259373357364248655045557439356A4E5833674B39
466B54446A684A2F762F2F455152314951
. P8uJ@y
476730726A68384A4B2F6B5242534349
T%OvHj2xM_NM;
set_Visible
Enter
c97|=
t;<sr
-Kz~/B
.<>+n+
6B7943746A
4A4D676D5849
"1KZ}9|a
51674231
bOkS8
43735832673057457751524453
'$|LhW
3:hky
ToolStrip1
55674662
51584E7A5A57316962486C55636D466B5A573168636D74426448527961574A31644755
UInt32
44514767
;\h{XLB
42456C6B64425167
wSEXx0
:`8}5
52674270
get_UseCompatibleTextRendering
65514475
fkobC
43677359445468342F2F2F2F426864594367496C57674A59474630734278774E4F47542F2F2F3866435376324851303457662F2F2F77643044
e2?m04
515442483443
582F2F2F38544D
$Z8eSE3l9Qo\qL]u<HF:()Lq(
Sv:-2b
JEf2CHRY!
426959524243
466B5442537575
}LWs4;
T)azN
EventHandler
4335305A586830
456C46626E56745A584A68596D786C
47397758306C755A5846315957787064486B
DebuggerBrowsableState
<!-- Windows 8.1 -->
JKX3b
W{i0+
0{JGtP
424577514A64
683577
ZBn 1
rkklll#
l&x<$O
7A6F4263514378
68622B
OD*FoQ8a9yZ0="gY/-/7r:lc#
78514569
676E474D
43426B
4442384A4453444E
,4oEs
446751487A
u_vv=`
4A77426A
#Mm*#o8"o
AssemblyDescriptionAttribute
456C7564444D79
System.Runtime.InteropServices
77674B42776349
Label12
ToolStripDropDownButton2
52666751
%1lf2
?S=aB
g6[4r9
iKX\6
P*FK*0O
57524D464F486E2F2F2F38436A
5532786C5A58
T_t3f
r diese Einstellung anmelden, muss
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"6
!>uzS
][t8_
b6Q<%
t$m|!7m
K4kZq`
0\k$PkS
72457755524252595746685967767745
j,.U^
ToolStripItemCollection
MB-z8:
nC]D,
51584E7A5A57316962486C446232356D61576431636D46306157397551585230636D6C696458526C
lO2SD
536F5242694475
Uwj8%
4B43674967677749
735242694358
Monitor
""""""""
45457734724A684548525155
Y{N]q$]
UZgw2
686743435143494D67
44674457674578
6c{,\
56473942636E4A6865514468677151
7830444267
3OvMD$
C'o!;
eoY=d3
#S*'r
9cx{Q
2F2F2F2F4268645943694353
OnZ;q
uRhLVb
Q}0.~D
T@OFTp?
r^AL.<
6F35704631694E43
y0zz?R_
C199y
n`SS~
,]@"+WI
4A6342
Werkstatt.My
425942
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
&(o'k
>*ydN
45444268454D
H!J@a
VOQ}v
$qiVh<
ue4{mG3
35674463
5132467362465235634755
4549437859544254685A2F2F2F2F
/<ell
K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
Tn`]d
Cna;L
5fb[h&
'pnq.
t#{v
Yyn?/N
tR<3t
a>z4r
=h4+2
4274764751
3m%~B
@+v!"
59544268454D48336D5449446E59
Fehler
436749
5743684545487A2B5449476A4F
666751
zd3u@
466B4E4B3434624B2F6F554378674E4B34556F4867
<4!8;b
e#X~|="
g7Pk;
2"'xS
4677434D42
IH_<-
AcK'}
QBa}"
4DThZ
3Y'eDH
6834424269
;WW_A
72777877722B515A314277
Button2
FQ~!?&
S7`2)
624A51615443775959574A4D48595173644577343466662F2F2F333448
425142
7A4E77
457145516366565A4D676C6855
ML3qm
As2xt
466A30
eMG:Se~
46764577
7873424351487A
.NET Framework 4
43736D47684D4C4B37555242485542
fc"rO"$
K"K"K"K"7
(https://unity-wow.tk/download/update.bat
p1T@i
T:>fU^
4(78Oe
My<z4
set_MaximumSize
OdbcConnection
"Dr67
mCEO^
73484A566F48574268644C
4F4743732B47436F
_IvOc
xT/Ma
GhgOb
;oG|$
>FCp/
.*0]v
(PjkzgW
42424D454B7A494A525159
#2m<f1
4C516D
_G"90
5267444C67424C
/i7Nb
4A5144
Trust123 2021
<3SUX9
P^>zA
556F4377
HQsE^
r%w+G
51544269732F455156464377
5257356A62325270626D63
454244683442
w]1.1
G:Gr?s
544739685A
91i_;
45467A63325674596D783551323974634746756555463064484A70596E56305A51424263334E6C62574A736556427962325231593352426448527961574A31644755
,/0Y,
67484251676343
get_Item
4C7742
her) aktivieren -->
69454C
6mJLooD
G||%wW
425A4577737270484D47
get_Items
6761457755344F2F2F2F2F78384C4B2F5564457755344C2F2F2F2F776431
(.Cea
6247454E613348523146656857436852676331506E6B75306338334E2B6F435954444A4B47686A6F
k(%Jg+O
466B544253753146676F524279
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
y7uZ<
464E30636D6C755A77425464484A70626D644364576C735A475679
get_Module
xpo!j
xZ`FU
TextBox7
%7UH%
6F4F4253566144
WVN6{
I38/Y
[z9Yy
ndern
zB#'p
4z.=",
~%K.I
4C674256
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"5
4267734864
Knoten "requestedExecutionLevel" wie folgt.
a^g~"
59514273
R))**d*R2
4A674231
676442516747
42485A585246626E52796555467A63325674596D7835
6367427A
7.27&
Speichern
IntPtr
%T($d
6B7944366377
MethodBase
4System.Web.Services.Protocols.SoapHttpClientProtocol
GroupBox1
s=9WeYq`
r*ncLH
RR2=9z|
nDT_G
%\^lDb
Rq/ gO+e
dq"|'
57524D4E4B384D524469426A
6F4C4551596662354D676C5A4D
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ahSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADPBj
}j#{B
556D56685A
u+6pq
4D5143
EH*-BD$!e
YSy5=
424D444B51487A
,|@t__
GuidAttribute
?Z1ZR
44514467
454577556244516C464367
%Y2aa
67576745
4369595A457734344450372F2F78454A4631675443526754446A6A2B2F662F2F45516B52427A454A48773054446A6A762F662F2F4552
496F4277
595267
update
45583443
M%Jh4C
AB]gg
set_Item
.@0tC`
y{6FqYs
__2?H
6B7944695377
1MR*%p''
))5'M
7l1QF
VirtualProtect
get_Font
J+&?l
"GN?Uc
get_ProductVersion
596D46784D4F4B36594449
2311q
Pm~EI
5753767045674C2B465134
544278384A457734346250372F2F78454C64514D
7Wg0=
51312F6E6376695A3459454C4453536A574E35577767426B3335642F2F4B704F4F57456962304C6362427431655337756E79727275795835345259664C422B342B2F493367714D7075796B32306934715674595144333474387172786E6B3164754F743475476447354E717558477758567167616F333977626D475647612B4A71524F4237544B35635A34485174563445455A68534D684732642F6C6A744F4A67486D64744344763054714A774737734C434248746A4451394832304C767A
Sqw0i
Versioned
LVV@U#_
_`gyw
424C4249524469422F
9[IUN$_m
4D77434D42
qhb6C
8MY8B
N0PDv
UserScopedSettingAttribute
'yqC@
-r,a8
qA9G;
o%eGo
\cCy3:
-{-Plsf(
Gn@>2
!Sh f
grQd-
6E4E49626742544D30685647687063794277636D396E636D467449474E68626D3576644342695A534279645734676157346752453954494731765A4755754451304B4A
w&L^|
434375
HttpWebResponse
314D42435143674B67
784D437351
1H%tj
System.CodeDom.Compiler
"_8V[
427371
9QTs1d1
435449434A6A
6F7746
?\&<g
ShutdownEventHandler
JtO3/z>
Auz6irC
45467A63325674596D78355247567A59334A7063485270623235426448527961574A31644755
4h1?C
5154424374
R2ibG0
&)@(7
5667426C
564363
xe[$\
=E)#1
'7=':+
Microsoft.VisualBasic
42424D474B3059524245554E
X9ia'
ldsH)hmc
42467048527749
4548536D50536D52766B65385357756359726138582B31753932744E4B784E53333173783446794C38655973547A35714C373832496249434439504A655A447973
:nf(2R
o%WBmxw
AssemblyCompanyAttribute
CvQ'7
5443546A312F762F2F45517367617745
4345684D
0E)+r
2$/O`
K/Z^J
i0RGq
K"K"7
Buu~/~
-8,'B
5973444C674244
,pKcX
M;y.Q
Os21n
4JLio
1v(^s
Spk/~
|/W5e
BOj/~
MIv;a
xXOak
zt@~>;
kernel32.dll
Zg1cd&
c}b79
r&{.oc
63674276
YOM.d
424277634468467048527745
neuanlage
m#]g)M
43674246
42304643
dpzwF`\C(
<r,e^J(
464E356333526C62533544623278735A574E3061573975637742446232787663674242636E4A6865557870633351
fZN0S
51544279744C455156464377
.U\dmr
,(3 u
remove_SelectedIndexChanged
=Ii1#
495756334A6863453576626B56345932567764476C76626C526F636D39336377454549
get_Text
Strings
425A444467342F2F2F2F426E5544
0{CW|!
33674C52
SF1E8
4544684A4E43
2wbq4
p>z([
>)bLZ
'IS.n
6B6645424D4F4F47542F2F2F385244794239
%O{Yq
77734843
W9/Mm
4367595857
Q,j9H
d7NdZ
4E494B6B43
47646C64463943
K"K"K"K"K"K"K"K"K"K"K"K"K"4
~&iTQ"B
WCJ_n:
Eh6.CAy
49466742
Gespeichert
57524D494F4E332B2F2F38574B
WebResponse
_<j(4
61514273
45774476
kT'Id
625133567A6447397449454A31626D6C6D6453
62774277
p^Xlf
+c,Rf
g>>>o
$Rp1{
X[nnt
qh}sf
426C43645735705A6E5567526E4A686257563362334A724943306756556B6754476C69
kky.X
EiT>7
add_Shutdown
KG_qn
?RZ@+pD
System.Diagnostics
57524D4C4F4E482B2F2F386644537631426E5550
-->
CallByName
6A6667
a"(*WN
updatebat
qJk/Q
4352474C51
594E45516B676C51
724368454B494E45
524A4242
Z_jNZrj
e_|7N
FX?/aL
_)69nd
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
5059424977
Label
435457524D454F49332B2F2F38
,T74R5
%CbEX
8vKJU
4D5135
435449506830
5877424A
[cy-a
7173434351436F4F
x~1F9
\update.bat
53514250
IContainer
gK[8>Bv4
name="Microsoft.Windows.Common-Controls"
Dietmar
H<lFz
6B4C77
]dSo3/
6B7942425951
445351487A
`6?*g
46394263334E6C62574A736551425465584E305A573075556E567564476C745A53354A626E526C636D397755325679646D6C6A5A584D
5351447A
6_&<[
w#"%y
AccessedThroughPropertyAttribute
IconData
424546494E63
Z3y>b
X}z:7.,
73674570
M61 r
;O`0y
WUMD6
446551487A
6B7942643377
tn+9b
676157776C5A4D676B6643684D464F43372F2F2F38654B2F59486453
5A51424A
"'Z9g
+https://unity-wow.tk/download/Werkstatt.exe
Microsoft.VisualBasic.Devices
466B54424467322F2F2F2F434268644C516758457751344B662F2F2F786B723967637147524D454F427A2F2F2F38544D
6F6175686F5A376B6A575755
5151427A
G$5|4'
e5g=~
~>;"r
//Gha$
jhAKU
?53kK
AXXWbs
425A4577517268424547483053544943656D
WlaBq
I+k&s
IMISK=A
zuSKz
51474642
AuthenticationMode
\^n<NV
299yo
434343
4:MM?F
Ks|O4
y;u9bT
436773524253
Button6
Create__Instance__
HiNm0Y$
4364426E5144
575144
55336C7A644756744C6B527959586470626D63
get_Length
ZjX\t
WRxfV
57524D4C4F44662F2F2F384343424545494E3843
l=B B
,"#k*
jpzx]
454645546B65
6643524D464B36
4B437845464944
GetMethods
bPxE0
466B54425467692F2F2F2F
EditorBrowsableState
Ow6y4"
:N{N$Q
784349
6367556B
ControlCollection
/:=MYq
[XKb
5457567462334A35553352795A574674
474A68384B457755727652594B47424D464B37594F42
425A4577733459762F2F2F7749675A5145
A0Z9W
372B70347464345A2F775A5657365677366E564B4245774D655351594F775067366C78334835703778714C787A6D63693457777430664D725078334A2B4F6E456F666B59587A5A4654475469714564397230706F352B5064675064493145674831534D322B306B37434D4747384351553234454246623130776E322B
t092Q
776F484277676343
gwe~]
Clear
6251426C
?FGG7I
KHR8E
Update
427352444A4D544252454B64
5250704A473349
5751303456502F2F2F77595857
.WTb1<
type="win32"
SuspendLayout
v<6RM|
rTr_2r
I>BM!
schen
v]HLn
58CyZZ
42424D514B316F52446B5553
Close
K_f2Ma;>w
466B7236515A314477
qu"jf
d"vu:"
g9$nP
;Pgk;
396745
6A304352774A6B
rS$6q
9"b\F
?m}BS}
|St&^
535731685A3255
2x.+f
System.Resources
OD\*FoQ8a9yZ0="gY/-/7r:lc#.resources
316A64504D79365858466E70634A7678346D684F4F4733306C6B334E495A753170654968725150526F525357746B465338475437687745772F46645030635338616C2B2B50337A5543565446566359692B3967484245366F355051586176426D49502F50424C5A4B564C50594F4D4A76676B58746A454E685050524D314A45702B6A7758597055474E42742B4550645052672F5A332F74645A6472742F69637847786E5646345469703947616363496453517A
s~;+?
.text
466B54424375474869763546
MsgBoxStyle
62466767676A6745
K"K"K"K"K"K"K"K"K"7
4C7N'+-
D1|{Ky)f
PrintPageEventHandler
445146
NIn$+>
515443583443
LvxHn
|"Onf
<security>
4553545246524269
O}y,q*
,tG-F
i4m$p7;
64674934
Label9
/E6&K
Hn8|l
UFX}4
1'=89
|,Xzb
9kZ *
kh#(#
6gD>7
:[6kKs
(_Ig~
=TPFg
/5\Q>
ts\` =
GtQ+7
466B5442446A462F762F2F434268644C516B6643684D454F4C662B2F2F38524253
vU0|T8e
K"K"K"K"K"K"K"7
f?E\F*2
454362776F
DebuggerNonUserCodeAttribute
FormBorderStyle
Np$Y4
ToolStripLabel
ww2KW
75546B565549474E76626E52796232787A
K"K"K"K"K"K"K"5
Translation
sqj>M
_c____;_;7
Rjkor`
uDjyu
op_Explicit
WF,OX
56KmE
42735749
8-&&(
594B46684D494B376747645245
375053716D6A4D6B583879525647327848354766334E396764716F434B70454D6F756C4445623369584C333164
31"T&E
l4cl,h\q
47674D68
775964
S=y&gW>#
596D4B67
?R8ZY
ListBox4
g_g698
<zcgPkr
77454F44673444426845554377634843
9;j,qP
7gXb?s
Control
System.Configuration
(J$3/
(y3u_
Be@Jp]P
mscorlib
9EnG_
567649
c|m%q
4C6732
:/hP;
5232563054324A715A574E30
435449505442
ic6s;
2}a2l/cs
4B457759524369446C
lh$)}
77674948514D4943
53554E31633352766255463064484A70596E56305A56427962335A705A475679
45704B596953333548505373666A32585A67506E5562677A646E75454436646C656A6A764C5457386A633443695769656C53626D6D4E4B364B62694A6F485A666878716877613367306B723464584942586D52327148396A4F384D47525765616848314E344271436D384C6B6A65784C517978334F554A71544D557566344F585979756A6173654B6A304242634C504F32
44514251
hZC/+
#F:c=R
'GcU{
474A6859544243753646676F5242534461
344D424B514364
q~<>C
61457755726D424547494E4D
get_Image
534D5159
68453545546B4742673451
67674943
PrintDocument1
>,&Yw
dQQZ p
2[72Km
D?TP<
525A7A
EL]Fr
483443
';vY~G
PictureBoxSizeMode
)d1zB
DWQ6~
Q0H$.
]gIDATL
4C67426B
bQMs 1/
517348644245
cmL.k
445951487A
456C756332567964464A68626D646C
g|Zg1
{Ct_{
;cP-/e
%v"|_
?ml{D
8+f@@x
p.E.g
<assemblyIdentity
525277
V\?bO
}I0[H
Process
57524D454F48442F2F2F38436A
pOGX?)
37675A47453275
47646C644639495A576C6E614851
Wenn Sie die Ebene der Benutzerkontensteuerung f
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
Button3
&uH=C
T(!prf
FailFast
^oK;%&
Durch Angabe des Elements "requestedExecutionLevel" wird die Datei- und Registrierungsvirtualisierung deaktiviert.
set_ClientSize
zMx|9
5A314277
"Iq|+
HrQq'
$8sk!*
674945546B43
Microsoft.VisualBasic.MyServices
Benutzer:
~ zaW
=L\-
Datenbankpfad:
6vjo'
9_B=92>
7357445468382F2F2F2F
44784E623252316247552B
656978717A6245657A735034754945787165
1oe5>
(nyKv
'hXUZ
Label7
TextBox6
-':^~
Point
W ,~2
<dependency>
454243
^+wVF}
1.2.0.0
?][>6%
-QY\;|
BD!")
i:Xme
425A4B2B384F42
77584577513453662F2F2F77675958583443
/wd|I#
dk:J<
AssemblyTrademarkAttribute
^v`|x
6F4E79446D4A384F42676A787255516361646E62363451684C3074
Opp"M
EwD73/
=>JXr
/ioZOo
4267544452454E525163
FKctV8
474742694E4251
")QB|
4771316A7742717870704E37564A656431625258374E4B7046485052547759754E535A6D6D562B2F67476C4946663430616543364A4D68787A6C586974616B666745437A34
f\t~sg
yEGe9u
6B7943554277
436773574577513457662F2F2F77595857
7830444251
7A6F423651
INSERT INTO service(kennzeichen, datum, km, was) VALUES ('
45374474
4B4F6152645A2F6749572F67455442685954435469682F762F2F4551597443423454435469562F762F2F48437632456749436A6D6B5857536745
5A325630583164705A48526F
OnCreateMainForm
anmelden. F
346F42
575130727A6750514267
p~&G4
=Sl<V
454577562B42
<BDUi
624679
^yGyw*
My.WebServices
e?\^/j
42436742
45527063334276633255
G+uP*
</application>
14x|%PM
DaL57
XutG#
51584E7A5A57316962486B
|JLcAK
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
-1]9
,`Ai%/
6267426D
424A525953425238654833516F4451
S$Y="6
DJmRY
4A4C4A3261395449
rT}ZH
67766749
j^r7~ O
7A514352
34594B7A34594B74
.JPlm
$this.Icon
+g%uU
pe|_6<
6OQ??
d}}#W
IIX|U&p
4354494D7177
)OqGaL
Gus84f
7A6F426751
Xm47cK
_#m{d5
"}7!&
$`d'h
set_HorizontalExtent
%9c{L
;Z7ws
mscoree.dll
'X1sa
=KO_U
cccc_c__6
K"K"K"K"K"K"5
6B4F575A694F4449774E6D55744E44
P$OEO
k'7^fI=
remove_Click
</applicationRequestMinimum>
u{i{/
$JFWx
yrz!^I
Motorrad Daten
466B7236516371455159672B7745
[Y903
*`+Ll
J{e/A
nl:R@
Tf$R+
set_UseSystemPasswordChar
O^PrSYq,Y`
[w26O
57524D464F43662F2F2F384A474630744352384A4577553447662F2F2F78454848303654494A3944
$Z8eSE3l9Qo\\qL\]u<HF:()Lq(.resources
45494A
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
TextBox5
,@{X:
uplabelnew
Y`^`]2t
4b?20n
4E73577750596B4567795A78762F3565703758773958384E3376707347464E56323533726832687A374F68517169703876626F3144676C475763654A78576A42763930493663614A4E765758665A6B7548342B59536A724E50343030624346576A6C7A56
5A4243304347514539424651435951424642473843595142564249774363514266424B4D434D514274424D514369514279424E6B436551423742446F42
514244
:u!q%
514254
fuW1A
4B5151
w%?=|
674453
73644577513465662F2F2F77496F4777
Wfv_-J>
384663
.:S6Pj^
'*06`0}>M@0=<<ueRFSH!_87"
375251
4B34504D4C45756263394F6747656C713432635756794753654E666A6E5A72385A6572463144786A7663587754544A313645306F5662746E33
442F71747876536A776D6D4B4D6F4E53772B6E707433764A475A2F346438483776372B7430614A4C314E424E746671564976653271696642796F39766B4E49712F645075335164527476304569624E3463
$bBw;
5A514275
= eWr
#BR&
]#p[#A;
Label4
Qzzbu2L
@lX4Z
fX\=0/
ndern m
5A77426F
C3hyK
67697745
4V=m']$
hDZEO
PBd/ ]t
=Ls?@q
656A6636554237596766795A2F496E38
rv%DV
yLx7:|
425A457755726D78454749483442
QVP%r
y~z+V
51774663
4C7858
4358554A
y%]Ne_
<!-- Designs f
publicKeyToken="6595b64144ccf1df"
6E52594D4F47502F2F2F384764514D
*Ha8l
456F42
4342686243566B794652454749433442
zC`u"
}l-m;v
6F45436D
%0E0X
PictureBox1
W,^xQ'
@nv.aG
;g:+#
434747504D
396F42635144
6F544242454B64514D
set_ForeColor
515442583443
454A54536B4942
PerformLayout
%lrgcS5'3
zKSQS
6F515836
/OVgp
[q{0[R
Y~@]`
mO-8*
5=C)ZVK
624843445448
( 8Y^
!*+6#Tk
6;;;777763
}tkuAB
xF-g@
j-)UO
55336C7A644756744C6C526C654851
set_Font
PictureBox2
x?~[k-Y
ToolStripDropDownButton1
51Zp
T;7d-Y;
GetResponse
WrapNonExceptionThrows
'\*06`0}>M@0=<<ueRFSH!_87".resources
i13Nl
<!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
4D4957
453043
6151426E
K"K"K"K"K"K"K"2
1b5-BY
59774279
51656A5145
51kY_:g
)X9T 57
zBO_$q
Ry}c g
46676F65457751727A6751445952383857515A68525145
57524D464F472F2F2F2F38474631674B49464946
o4A4f?
E$n|)o
MethodInfo
Xom!<
SELECT * FROM motorrad WHERE kennzeichen='
434443
wq$u!
494348
e 1+B
466B7236684545494D30
45734568454F49495942
*K5,:W1b
2F4330
11@#e
Equals
;wj0r
Passwort:
2F2F38
F@i!AX
vruv!uofP\
.abSW
456C4561584E7762334E68596D786C
444C674254
:]A|l
4A4D67474663
dDhl)
6F7130
String
.NETFramework,Version=v4.0
SizeF
51676C67
5647394A626E517A4D6742485A5852436558526C6377446867713368677130
|Xul'
>A~J9
`a2DC
6F52446839566B7943644651
624779
5059427A77
45515967306745
1Tf*E
]^Etg
484942
59514275
A(co<@
57524D494F434C2F2F2F38524264
IbR,|\FM
Color
Yc13o#
4+[1{
Int32
425A45775172715151445952382B57515A68525145
'3!m,
h]ihB>
YAr<<
b"q-X
CompilationRelaxationsAttribute
z\e3al7<
%Fm$a
4545775557457751524245554A
gWz(YP
H-*?z
o.-'%h"
497433706356686B3034496B497344396666784856436A6F48
hmb`v
4544434234
/F?xA
A@~fl
@gZ :G
hersteller
42734442
V3hL_
BWo!]
Assembly
57524D464B364545
&q{B.?MB
J9s.,J
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
iq-"D
~ZMV1y
57524D4C4F486E2F2F2F38574442454D49453442
}/`0>
482F2F2F385244426C59457777524268386658784547494D442F
^7iF*@baf@l<%yp@K@_#$H"U&
454577562B
wjo_A_
:+^:pl[
6F6746456E6A5242384C4769674B
5A514233
A[bF[
Lc!H6
515445583445
EZa8B
ToolStripButton
4273486D69554E4C
DrawImage
set_AutoScaleMode
Remove
b+lNx
1;!]@
/j34Xb
4779676A
HelpKeywordAttribute
=[X8&
68514D4449
rc*-'q
+u8~n2
G7GDKf
4270776C4678494649496B
Label5
8=sVa
swh9=
get_Count
##.#k
=_~N
nl&)|
r+fO2
4367735A45775534582F2F2F2F77595857
lL<1&
ssen sich nicht
#Blob
f^0:[
466B4D4B34514764
%SrZS
[i??w
add_Click
r8_GZ
System.Reflection
Xuwvr
.ctor
?&bO5
|r6 o
435449474763
)Gy?a
Mgh=
zZ=X(
Duy0c
InvalidOperationException
D](N?@
!t[i"
js8_8
*Swn7
ctr!.
SELECT * FROM service WHERE kennzeichen='
54567151
4A4E2B
Werkstatt.Resources.resources
ComponentResourceManager
426959714F48482F2F2F38
4E774639
4C51435142
s$9w{
67596348674565
diP>5
4A4D67
454577637250684546525173
`bj:n
rf<0&
Td5(E
p+i nW+
-ZO9x`
K"K"K"K"2
5AMet
RightToLeft
s:1q2
C7#5i
776F42425163
R"Q2D**C
\lf5R
2G,Bg
System.Drawing.Icon
+& 7^
d}~"7
`sJ =
677151
set_UseVisualStyleBackColor
MyTemplate
4D4645424535
68454232514369
get_FileSystem
>o!g5B
e+w}.
51476D
?N'+:
,k"s:
ContainsKey
?1q}!s
\tL<I
U pZv
K"K"K"K"K"5
47324B6C5745
4367305A4577735243305547
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"6
%aog0
S(it`
System.Threading
Mq^nX
>X%(MO&^
$>O@\
c'k8jX
set_Icon
ListBox3
NZd+y
}WQNP
X*7a`
!RYO0v
Gqro+
<application>
51584E7A5A57316962486C4462334235636D6C6E614852426448527961574A31644755
b%EYf
78446F
F>$AE
add_PrintPage
454B426E5544
CheckForSyncLockOnValueType
;.nj%#
674C45
}]fO]M
C3UJ4
{7N!a
YF6=E
t+}@t
696748
573845
.l&js
]J+uX[
51544379745745516C464551
446867724D
/fW#m
556D567A6158706C
ExecuteNonQuery
set_FileName
zL/?f
454942
5154427974444551564644
DebuggerBrowsableAttribute
A9|OK
Z"~1
sDG|.5{R
446C67
___^____:[67676
30484277675367496B4943
436E5142
e1y.{
)M]i;2W$
5132397559324630
q1h>I't
}5Fv^
wFsQ(
4273644948494E
}MCC1"
ToByte
M U@C
c+jM?
7/6MM
Oh1HJ
624949
786F484642495A456730494842776343
/_:;Yp
(|V:!
5067556B
GetCurrentProcess
2]Qm7
BYv?$n
EventArgs
OTxfW
..'}D*
6B333443
3hT=7
425A4577553464502F2F2F774B4D
425A4B2B30554378384A4453754F4B426F
K"K"K"K"K"K"K"4
` ".sy{
bs=F/
57m9o}
(iz]E
5A63427177484F
4354494C7144
Sw3?{
9MotEu9
4A4D677A396F
454A35644755
_H#?j)S
vT-'b
4355554D
l<Ik,
d8F1f~
4D3842
z{Zb9
s0<+|
DebuggerStepThroughAttribute
I{qXx
Xf$Gu
525145
7bqp&
fHK:1
gm$O9CAb
</security>
424F4961776A61674530682B61613567665A5A33394F446934524377753357354B71677274533444765678756934365A7A6164657574656451465A54664B792B7453573663426F4A516E484D654D47495134496E4542644655337A4C7234367A62777445432B6E57565573426A626E686262644C47516948495172427A374B56634470647556794C463274444E7A694A4A654C45693864466965464F457350356C476372464B754D4831714E6A6F6D62546E50484F31
52495A45536B4449
6E526D4E49
*BHS)%
@YFGG7
A-/qo
464E356333526C625335535A584E7664584A6A5A584D
696758
DcuRZ
47366546533364384A633537776A3661463856763574756749552F432F3933364D6E766D48522F362B6557443834494735686257725A30523451424F3766785178356B36614C436E4A4D7062442F4866655771342B4777584C46715946454F366E4D2F32
LKJb*?{r
I~`Tg
XF\j&
4E45434551434C
System.Text
@At.p
6o&Yx
4A4D6777336B
494244684A5A4243
hlt. -->
System.ComponentModel.Design
#s4h;3
596D48684D454B3759574368595442437576
w#g3x
517757445259544242454C483153544949
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
K"K"K"K"K"K"K"K"K"3
Assembly Version
+NcT&
%^XZ-E
X0c8-_R83
get_Network
get_Assembly
524269
Y*AoW
43544943526A
446B5677
:9QgQ
5q\,GZS
5e<&f
48794F4E
!7a-:C?
@w|:wO
+Wck]
ThreadStaticAttribute
y9K%k
ClearProjectError
454530
Q~n='4
&cM9'
,o>@c
G\;_b*
47323855
{_J3>
]?y%*
ContainerControl
=E{x9
^F,r6u
!4s.2
CompareString
Marshal
4269596643524D454B3730574368454649424542
,lj]h
9CP<bWq
/7 tw
>N~m#W
LB(o6
+$klb
sfJX_
96T4<DJ
E9`IdD
7RRYt,
K"K"6
r:ElH
46684D464B365566435376344877304C45515967547745
32456661466B4759555543
Oh?Oft]
705145
4C774569
An#Xnt
376F4263514336
6873424B51447A
set_EnableVisualStyles
4245673053545159
-N_e
$_l/g
776244523449476C734A5754495645515967445145
51544269744B455152464467
474D42
upAw,
5A514274
'}M9Wg
Hy/Pm
Label1
8Q|'>a
rJj")
L%rG#V
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADE`4
set_MainForm
K"K"K"K"K"K"K"K"K"K"5
dRXk8
^b:k07
k|7+6
sqXin
iwQ/S
TextBox1
62774275
F}Elf
514D43485144
77674945
1t g&]a
\1[+>
4245474830795449476E4C
434242304648674565
mL7Mo
~&;T
496767
ToolStripItem
'Y^5T
""""""""""""""""
!3y(P
Reperatur & Service
2+M`V
cd4>w
\D~y,>
4367312B4277
7752764951
>N+ 7h
!tM+)N
mpk;E
Label2
4B4378454849424542
K"K"K"3
#}Z&ZZ}
}$EM8
424D7743
O$@d(
4545776F624577675243455549
BackgroundWorker
7752684879525A426D4646
l&9.a
774D4D4277674943
Conversions
[t'bg
776367
4A4D67503034
Driver={Microsoft Access Driver (*.mdb)};Dbq=
SW8)l$<}
2F634273514466
V=<=3
K"K"K"K"4
6651474A
536F574454684D2F2F2F2F
xKCC7
Ib}o.M
@U/7D[
7277556B
Py<+*~q
425A4577517272513445446756684879785A426D4646
5A4577553462502F2F2F7845474946
4D4D424351
S;b!Q
FK:Tt
skL&[\
2os/b>S
6E516B6648354D674A374D
ObjectCollection
`[9n5vP&d
44514377
52495A4279
.ZQd-
K"K"4
z\NwS$e
4242676765
y:PD@
4242335542
NxePO
436773614577513457662F2F2F774B4D
~H'U z
Microsoft Sans Serif
{yL-<
^%D$o
get_FullyQualifiedName
L!Y6-
5167567749
474577515242485157
424851554F4378
bG8v`
Interaction
Exception
+g~(s
SetProjectError
nden der Abw
reifen
6F4C48776B4E4B344D474631674B
oFdPb
DNY%P
666F444C67427A
a;t0$
L3&NH
qm<LUV6}
5955444C67
52484A686477446C704B666D7462666A677049
4'ff:NF
2bTe7
4A4D6768746F
m|@yz/s
-->
Copyright
AVG1q
'L'{F
5345444C67
/>
=o=Q-
{'3{\_$%
r die Anwendung erforderlich ist.
5753767042796F5242534458
Q^6eg+
&:b\3^
62774273
6/s{6
f~<A'
K"K"K"K"K"K"K"K"K"K"6
Button1
y9|vs
4243645735705A6E557556556B755A477873
E'j)+
[N+sE
70586C51496F435234
get_SaveMySettingsOnExit
/&b'?
1<im#~
s:v_
WeTj&"
language="*"
536F544D
304263
Mk6kI
wC/k>
twzP{s.
;|ahyuA-
/VdY3B&
<windowsSettings>
`.rsrc
~}\KA9
`uc6s
c='&J
a%&8y
System.Collections
uNVLZ7O
hF-?B
735242534248
CWm S
m<OVD
3052427839566B7943624651
434369
J/^Xt
s{|#S
eNXoX
NpmF=1%
/T_)`
/6{VS1
467343435144
C{)lu#
Jq.w<
!A,lVa
+?bou
a{>OxC
0a8#$/05
qz4Vr
57524D4A4F4C662B2F2F385242
TargetFrameworkAttribute
vY<x#E
;s"}fg
,G&v3jw
456B4E7663486C796157646F644344437153
!ML^eDy
6755424867
f`\#e
vB|\7'
(0 y5
>z'q\
4467447451494A
2B555271506C4C4E6F6246307448617653727768546C4465554B7569675A3250435231362F5650306346745059337277746967636A7833336C4765583546657A
PrintDocument
43442B
Label8
6H -]
}E|o*
51675353517351
wv-^E
396F426551444D
Oo:93
b*X\'NUr
AutoScaleMode
*Bjb)>s~
$O_57
G9.I/&
K"K"K"K"K"K"K"K"K"K"K"K"4
:ccc_
424D7742
30424D
Brushes
6247434274
UFVl}
445144
674948514D4943
?d[e
ZwlTk
Substring
QDm*d
347743
get_StartupPath
6[f>a
Zi2'f
AppDomain
-2EsA
425A4454675A2F2F2F2F42796F524253436A
ZY2=P@:38
k(!ccc
j:X{`&
W%Zw8
%C711q
59673051
674D4542536756
y7xd$9b
He"b"
514251
<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
QK2<Y
</dependency>
674D6A
5A674231
596D47424D454B37345743684546483332544950347A
Button5
SetCompatibleTextRenderingDefault
CompilerGeneratedAttribute
FromBase64String
4234454E
9|{QE
ks97y
425A4578
Invoke
y'2(w(
];%N[.
52674250
4354494A6479
48635051
7n'90s
4B43686F544352454A525159
fQA(,
466B54425467612F2F2F2F
34594B6A
DrawString
30514369
o'2Jc
6C674969
4267594D4277674948
GeneratedCodeAttribute
0u3_o=@=
V6dLB
($sZ@
7752684832705A426D4646
696745
45467363476868
&SFS x
TextBox8
79514343
Hashtable
xJ,aj
0CGof
6B7942435951
4B4378384B45775534582F2F2F2F77595857
{Ys[g
/?Egr
436773624577553457762F2F2F77595857
674948514D64
466B54446A69342F762F2F48776B72395245484877396945517031
,M%fz
4F4743732B474370
6336534F7845744E56
+X]kF
s%b6}z
l{jBE
424F42
?+e%H
IK{yT3
J!YSE
6A516D78765967
H4fnf
t()cI
RichTextBox1
me0EI
\=:VP
get_Transparent
k?1$o
57524D464B3751574368454749483442
cw!U3
6B79424E5A67
i,291e
#V:0+
H8sGw
_[bp\
sfR!-wV
`6&&&
][0uy
b*E4_9Ow
Ilip$S
</compatibility>
M0S8Hej
l5hXU
42665132397952477873545746706267427463324E76636D566C4C6D527362
43456C6B4443
586E3251377074706D56325171396A726154754F3362526A49594677786E4B
477A562F3459426B7A6952
4B777A
Microsoft.VisualBasic.CompilerServices
42424D474B3049524245554D
6C67436E
535557466F7759
51774276
62457758647A
K"K"K"6
42515251
4273444B
@1#)X
BeginInit
Segoe UI Black
435449456869
ArgumentException
]_d.t
set_Text
6F4C48776B54425468
Lb6JM
GetHashCode
4273544253754C475376354877304C455159673077
466B544254674E2F2F2F2F
2B67454B
^:M0F
oCh=s
K"K"K"K"K"7
`lPj9
h9rs~cs
Ky0g*t
)OF0qfSU
Application
455143
ogNT!
424D77
W%2zg0
remove_PrintPage
lNzz!
PrintPreviewDialog1
MonthCalendar1
6B79446E5551
4354494C675A
Hpl~N
foh+c
9O[;9d
sOl43Ni
olfv]
P[G$|r
474A6834544253764346676F5A45775572757751465952395957515A68525145
Object
45774452
{tnYU
get_ButtonFace
{">sP
pV|T&
h$w|$L
/6z%h5
BackgroundWorker1
k7B*
:"2m6
""""""""""""""""""""""""""""""""
DY\EL
Reifen Gr
GetHINSTANCE
;P+sO
dWRl}
43736D47784D4A4B37634864
My.MyProject.Forms
674F4277674945546B524F5167494342304448514D49
54576C6A636D397A62325A304C6C5A706333566862454A6863326C6A
<!--
6F434467344749
', '
NjF4[
Environment
6A514934
`\SuI
~!n;Y
1z.&o
K"K"K"K"K"K"K"K"K"K"7
$NF-\
4C5943
465A686248566C56486C775A5144686772506867724D
wL60C|8
My.Computer
_aWTLt
get_DropDownItems
6451426A
r|x#c
424A64
processorArchitecture="*"
Label3
466B54425468422F2F2F2F45515967486745
i1O^>WB
G}v:E
DesignerGeneratedAttribute
SXT0
:U@_a
466B4E4B36304F425134455952386D57515A68525145
465235634755
&u#4\
466744
OdbcDataReader
version="6.0.0.0"
<!-- Windows 7 -->
ResourceManager
57524D454B365945
42694457
466B544253754D
426F69674C
en<+!
(>n>+
4A455974
Fgo,G
7Pn9Y
4A4D672F4D
4A6D713656435A6B5A45754A424A45674D4F5834455448677357727372744E49532B7A4D6D314E6756724F4249424D34644575373144424E482F474570525779626F6B7669542F79776552486D4C616C3838546C624372613267464E4C7857784875377775733579743137444A5A6F5A39354734453846
6F67716745
K"K"K"K"K"K"3
Be/*^
9Cxn9
9}u+N6J<
Garage
Operators
tR$=(
srm:J
zgSv%_ d
@-VmU
Button7
b+uJ:
PBge_~
3662653534344776
[.&pd
!>c>+
434433
4B4251
@dzEi
5A514257
_Qf<c{/
<!-- Eine Liste der Windows-Versionen, unter denen diese Anwendung getestet
EinstellungenToolStripMenuItem
5753767043585567
15y<7{
GTYX3c
67546745
6245516B52444667664556675243463254596446764567
B}V}_
Module
set_TabIndex
3rG6(
wird von Windows automatisch die kompatibelste Umgebung ausgew
n&m}Jn
zWa3%
Computer
434472
[)Kma
7572642B64423055385973796F6646587946
tqth}
-s<,;|
.A6tH
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
_____
System.Net
z]_9O(;
4243645735705A6E56665647563464454A7665
LegalCopyright
ms@Z8
o^@{V
59514274
9Tt?Eb
594559
K"K"K"K"K"4
s?. O
44514342
set_Document
5059426A67454A
6F6738
Lf_D%
sWz:WCtX,4
787165375544786475654B4C626753486E30654E6A364A6F394B
77442B
qDt}$
AssemblyCopyrightAttribute
4TKr82s56
JZp){
FGj1x>
Z\~6Q?
.Ob=J[
~-HBm
wI^oB
'I;rr
6A553352796157356E6377
4274764467
4A4D676D446B
Nl&;rm
62674270
IJ/M rZ
hSWn.
l='6~br
de"{8
<?xml version="1.0" encoding="utf-8"?>
DELETE FROM motorrad WHERE kennzeichen IN ('
55336C7A644756744C6C4A31626E5270625755755132397463476C735A584A545A584A3261574E6C6377424A626D6C30615746736158706C51584A7959586B
4273474577775443784D4B48773454446A67742F2F2F2F637845
3466756734
)JGLM
43435144
an+?*E
35514969
454E6F595849
Xtgqn
K"K"K"K"5
Uy\54
Q6WlfJ
>>k6;-=
5955444C67426A
637147424D464F434C2F2F2F38
7CJjV
6666312B645957
RuntimeTypeHandle
set_AutoScrollMinSize
6246686F67376745
GroupBox
J}%V%7
QRl9x
456C30
544A36524A372F6B734A30356E3975696656524559424466496E59304B75692B48546B55344E67695838597848
g!juV
F=Fc}
System.IO
CultureInfo
J<wSjB
9)mnlx
[lyUTDw
437358576634424577556644684D4A4F
fz/)0
set_SizeMode
set_AutoScrollMargin
pnZyR>r(SZW
<dependentAssembly>
57524D4F4F4E542B2F2F385242683867587977564552
34594B6F
ToolStripLabel2
|,_l%$"
SELECT * FROM Motorrad WHERE kennzeichen='
435449455669
ComVisibleAttribute
fJZ#uG
sOLr-8
p9} [
67514D69
FTM+#
Q0[v[\0
*EE|2
57524D454F50722B2F2F38
KE,\q
47333446
\'{e<
+v9Lk
RX7j#
k(guP+
I(Ls'4,
54674268
TargetInvocationException
M;pZU
42434363
>`tl>_
FileVersion
43554A31626D6C6D645342565351
oCTb*
436972514277
IDAT8O
&|1_b
Bp5&V
6B784546494E63
umV Zd
bRZ?D
YoL&)R?
QLod0q[
<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
6E5245454832795449444C59
get_Magenta
l5`usuB
4B43786F54424468462F2F2F2F426864594367516C576777454346674D4551596766
9VoP&I
YwdCm
d2+77
Nz|*E
Start
^V>0m
x4s?:r
17mWtK
neoE.
R*%t|
yxy(B9
423442
Activator
oOBGd.6
-}U?V
U@t#X
6D4463
34594B67
{yY>8
$7];8g(x}
494E4D
5955444C674262
O"z}1
Replace
r allgemeine Windows-Steuerelemente und -Dialogfelder (Windows XP und h
ZU4^6
MfDeA]
n.}nggz
4544583443
42434373
yzwHR.B
4A515149
uA&'D
~7LH;
QKv2e
0^OzD
![mXh
43514757
4778454D4A526459457779544551562B
(U{&;
4A4D677067
vv;5Y
2F2F2F2F
454C426E5548
=g0*?
4364426E5544
`IK">
]>C5_
43356A64473979
Nsas8
S[9<s
Lx#J|
9-7;x$
\`|n#
776B48425277494342304448514D4D4277674943
l;"35
ExecuteReader
IDATW`
g"zR;H{PBH_!RG
x&_ODD4
}cuyk]O
w\2)?
Q-Ig~Y3
get_Graphics
*/UAl
rtskompatibilit
Neuanlage
sU;N\&
dG_V-6
'Dunj5
4571457A
EditorBrowsableAttribute
&'b58Q
62774274
Anlegen
ToolStripMenuItem1
K"K"K"5
xK ;|
497745
774964
yzgy)"R
466B54425467532F2F2F2F
4C6E4A6C6247396A
53564E6C636D6C6862476C3659574A735A51425465584E305A573075556E567564476C745A5335545A584A7059577870656D463061573975
#GUID
ZsaJ>w^
settings
ProductVersion
M\&nd
N4$qm
Ny1H]
446745
$Iz9q^
upbutton.Image
6451494A
ToCharArray
K"K"3
Datenbankpfad
425562314E30636D6C755A77426E5A585266544756755A33526F
77454943
ed6g+
624D444C674344
:____;;;777676
437358326773524442384F6B79
64514275
'5+75
update.bat
g]t+[w
Label15
512B77
hOmcN
,q?Bge_2
436753
Kilometerstand
34436B
524D494551677443423054437A674E2F762F2F455177677667
425A4B2B77484B684548494F63
Network
6F4C45515567736745
set_Image
KCX!V"R(
514970
0Kb8\a
427352444264596B78454659524D4748424D4F4F
System.Globalization
fLOic@
ComboBox1
MySettings
31514463
j_[~,
4B455245674B
454B67
XOLh-;
++VUQ
6163494B7742
73524268386A6B7943466651
c"g0n_
704A343052684257454B666759
+nVoiY
snPr7
4468677130
7^ip8/
$tt"=
5,.[Eg
[U@bm=
SjxuL
464E30636D56686251425465584E305A573075535538
K"hM(
Kmq?i
a >-7
514D494867
57524D454F46332F2F2F38474631674B
set_Size
Bc/~%
ToolStripMenuItem
42695971
width
Hersteller:
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
al2wW6
4C516F
0v<')
=w`j2
`NiYb"!
Label11
qHneU
&r}:m
qrt,[
XR2GV
P*VC;
s^~/O
2y*R~
;q0rn
Rl%S]
hT?cS
tq>B_
sK3R
425A45775534642F2F2F2F774B4D4251
424B676830
43356A59335276636742435A585268
fu{5;M
|3Hfa
4E5967636749
JOp*_
505967
+HJW0
1woj{
IDAT3.Uu
Z&`<`
AssemblyTitleAttribute
DeleteFile
435449
yBR.T
WGlQIO
#E)yV
vi,^a
63674268
r2'ycj
Motorrad:
514564425149644251514B
r die sie entwickelt wurde. Wenn Sie die Auskommentierung der entsprechenden Elemente aufheben,
+m&^L=m
MsgBoxResult
Y6_P@
WvQxr--
467745
i^D~M"
4B4255
53514275
.cctor
514242
`8QwkX
c___;;;
#Sf(_
System.ComponentModel
484542
74#6w5
m82j(-
474A68635442797661
*czw7
6E6745
k$(|Y
oR;},
yKxl=
Yb\U5a
6B5651
4952424A454859515A30
GetObjectValue
O6(E`*
P]:n.
c6)(s7
iLqKgjY
7;Ugf
+5YxP
versionak
6151426D
45426E5544
466B7237
=J~V3_
5257353261584A76626D316C626E51
U(g"T%$
height
Ibti$
Dvv+]$
+tH/I
<Yb&%
K"K"K"K"K"3
nO'Pn)O
;oH6:
Vr%tL
426E4D4A
D@b_J
muEw6
ZC9t.
GetObject
SELECT * FROM Motorrad
Sk{~k$
uplabel
TextBox2
sXc1]
9Rakx
61514269
4F4743726547437051424361585244623235325A584A305A5849
4C67424F
Hr=_1m
NlJKp
System.Drawing.Printing
rs[;S
3>8jQ
.+P7y5
4B43785954425468482F2F2F2F42686459436734454A566F4E4467514A57
43734252774669
M[XrP
#&;70Q
684978
735944434438
4D7A5A
784E67
Qs+@rb
42424D474B3049524255554D
64457751726C52454648794F5449483139
$6d62bb4f-2a29-4dae-8512-733e7b14da3e
oaoA0
425A457773343676372F2F7845474C42555244434358
Y)N<<
7~s1kT
PYvXT
4274764851
6B79446645
76576D6436574D5059576D646C6F7755357833384A526B632B3643504F5A32765A4861662F316173566E4D48
09ST?
iFd*S+H
YIewf
AddRange
datum
s/Q}'
<} wc
My.User
4A51556B
$Ou^/
49535251344F4577634C456B45634567305344524A64484277494342304448514D454367494F48
%!d*/
7767616751
556E567564476C745A555A705A57786B534746755A47786C
&43Bo
674943
"H<<M
wRuG6
49424567305245514D
F3ak;
456742
up5:7|I
C"i(c
RX%4I
;Oys
set_BackColor
56674E6B
442B5677
<<QF^
[s>-|
=}X5d5
6B7943374D
434342304643
616A5167
TextBox3
77514B
79Qs<
466B544543756A3342595445784554525155
ndernToolStripMenuItem
MfRg#
77554B
PI5%YB
"""""(?
& |_[I8y
Label6
Kt8<i;}=
H_5cU
n`yK%
[>s<0
h%19e
z5o`e
StandardModuleAttribute
qN!CU`
33rY$
775A6930304D7A59774C546B314E7A6B744D446B324D5446684E324A6D59545931
Pt*oBsq/M
versionup
[VGpIC
kA##TKh
45774432
mfUL[^
OpenFileDialog1
<assemblyIdentity version="1.0.0.0" name="MyApplication.app" />
|x>:M
ToolStripItemDisplayStyle
47323850
Ot*VN
523046456B554A42775563456B45494342304442
set_Enabled
'IRs5
[lMG=J
|*z'$
{z%rn
6B7942613551
GetResponseStream
[K1H.d
?4R}s
`q~ek
yLJF<k
K"K"5
:_d%WBm
jK~o\
454577782B
4$bF2
qz6Zk<3V
304259
k5MoT
ssC%=R{
INSERT INTO motorrad(typ, fin, hersteller, kennzeichen, farbe, hu, km, reifen) VALUES ('
54516E567561575A314946526C59326875623278765A326C6C6377
Drucken
55774266
596D47684D4A4B366F6763
p/o6W
\F7oe
3;e'r
Button4
_cc_c__;;;;777
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
Gfm ys
SystemColors
S.9W`ib
PO;7w
R^'_e
M;xs2
ToString
7e5Fu
l}ocUe
516D6C3062574677
|WLpeh#:4!DFY9v$9?Y=!T;>!.resources
7151447A
624234657A61397067632B70476C7835344E6F4F6173377749786C524D58
cah9+
hMVeV
4)*Vw
p3{N8q
456C756447567959574E3061573975
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
4A51444E
a<|!:
hU,Gyw\
set_AutoSize
>Yj-8<
DebuggableAttribute
{=oF>
Farbe:
jnHf3q
436751
454457674554
8nM)G
dw <?
3>sZK
<!-- Gibt an, dass die Anwendung mit DPI-Werten kompatibel ist und von Windows nicht automatisch auf h
4A4D676D7763
CreateInstance
4A4D67316455
6749434230444253
Bitmap
Kennzeichen
3067516B
425A4B2B6B584378384A4577553455662F2F2F7749444B4238
c V=3
464467
4F35317075336F516D73325A645068744F744C37636C74793633354A5173746C434D3949454E756F5772626F
K<B>
Dispose__Instance__
@-IE=
Qv?x}
wR,PV
B\%\1bW
xi-'N?
CompanyName
W"uo&
55336C7A644756744C6C4A6C5A6D786C59335270623234
nuCgo8
sKEGx
s*fjYv
Y)pg{_2
583531684833395A426D4646
42774342
System.Drawing.Bitmap
&cUOrDc
<IYg(J
C[xwH
System.Drawing.Size
zpDv+
&Duw#
42695952424239486B79
N=HRZBB
@.reloc
?'-f?k
pvuTA
<s(n"&d
Giqfp
466B544244676B2F2F2F2F434268644C51676345775134462F2F2F2F78454748786D544946514B
nsH~6
Dispose
BEv\n
9b\[9
,Yr/=
91^z?
7551474A
DSvo(DT
65514279
435449466676
WebRequest
12TE2
454E686247784365553568625755
5154426E3445
'ae'S
fok7!
31762F2B58446458557553354D314C50734733395A46556F384E33614E6C6130346D456E6A556C5A745666
qX|^B~
7246784D4C4F462F2B2F2F386644524D4C4F46622B2F2F38524242665745775161457773345350372F2F7845454366344346763442457763524279304947524D4C4F444C2B2F2F38654B2F59494639594D48776F54437A67692F762F2F43
=)U*S
4]7c@@
47646C64463948
jo97\
/tL}Ej[#
1LCPb
dS2q<
Create
k*P*H
Component
KX|}>
Dd(3a
484D53347A4C6A
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"3
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
4A4D67727334
[ksdd
42434357
qj*<(
4A4D6765574D
42424D4B666749
f^R5d|C
LEr_+-3
9Qp|z
Pqo)q
30426B
wx,GZ
}_cin
5132397463484A6C63334E706232354E6232526C
,GJu4
57524D454F467A2F2F2F38434B4259
47776D5259644B6348773854435467692F2F2F2F43514D67307749
644867
get_ItemHeight
on%QY
XFw:S
67766745
304255
4D73446351487A
42695957457755727768594B455159677851
Button8
uvKHr
r|7mG
M[IaK
435449495472
g#kro
ALvVz
44775677
%*V8;
^7iF\*@baf@l<%yp@K@_#$H"U\&.resources
0F@LG
PrintPreviewDialog1.Icon
6tdSQ2.
IQH:u?t
AnlegenToolStripMenuItem
Image
7:#Fb
6645354D67576149
67446B42
:o==u\
52665263496E35
.D`>1
p93`t
~YFM?
[+W1F
>Bel<
|WLpeh#:4!DFY9v$9?Y=!T;>!
TOq?~
'bUfA
6?o(b
(?'VY
6N|.|HfK?
[n'Vq
<application xmlns="urn:schemas-microsoft-com:asm.v3">
59774230
&qub=
2sF0/"
425A4B2B775543784547487A53544946456F
51584A7959586B
07Bj]
5A3256305830465451306C4A
xp*b&
45494A77
62674230
R=ga .
63674270
6F6649
InternalName
7gFog
Cx6#w
<p9OS
cFC?^
ReadToEnd
Slop!L
\B,QS
ApplicationSettingsBase
485942
{`i&#
hVC{w=
%61@1
466B723651637145515966655A4D674E6467
4545775A2B42
)d%(R
iP1*OO
CJfOq6
494746734A5754495345516366625A4D6758656B
BpXYn
My.Settings
K"K"K"K"6
set_SaveMySettingsOnExit
^Vmqd
"("""(
{=tW-
|Zglg
d9E~>
)ETs&1w6S
Entfernen Sie dieses Element, wenn diese Virtualisierung aus Gr
5A514279
uliC'
42324D6934774C6A55774E7A4933
6B7942636677
V>B5k
1~^9#'
dGPr~6
Wsct?
fE`%K
HideModuleNameAttribute
TN-9\
rc(K6
454D374E556479454370675A6C6C355275355334626C5A536E314777686A6E6A424D785A7551552F4A57764C5177314B72393368746E6B684E375763394D754847514F426D7658634959734C46784475753950474373305039714D513463377147726767472B64
{[35o
>&(|2J
51323974566D6C7A61574A735A55463064484A70596E56305A51424864576C6B51585230636D6C696458526C
~z6)M
14\~A_EM
_XsT9
^%5l_
N!>S?
506F4330514278
NPgpM
52514253
425A4577553455502F2F2F77595857
xGEn,svd
6A5145
O%6*W
&e\vi
61495745773434752F332F2F776C3149
4F6D3375654F427231397759584A6862514277636D39715A574E3058323568625755
MhHGb<m-1
M 'v)
~0lD,
47646C64463953
&rS1N
set_AcceptsReturn
K^O&c
GraphicsUnit
r4+\DX
7k0?]
get_Red
ButtonBase
N*4}f
q4oOX
7"Rs<gFl
(T|@*
|('8{
-rjbZ
B5a4R?Z#awJ
2F2F2F2F77
6D51444B
{~/z7"
6245776B5243585142
w8)v2
w1lu+wu
QMKFv
(zBNu-3
4A755A4F6D6F7A64705147717654444C4463477862784C682B44346842516130616F52485450326B2F6C
CW%-i
783044
15J%9)
bu.^KWg
4D4743676347434277494342304448514D45
426959524268394D6B79426E7977
||\Cz
d}`tp
cub8*N
a~/8Qp
LVT;S:}q
0,uG50
AssemblyFileVersionAttribute
6F4351
57524D454F482F2F2F2F386643797631486976794877734C47684D454F47332F2F2F38436A
575130727378594B4851307272514D435952393657515A68525145
GiS{L
0N~kp
Brush
l+Y{l
Wertstatt
)/EqJ_
oJ,F+
505147
</requestedPrivileges>
GH<,Cs
|hmA9
42424D474B7A34524255554C
($|Eo
8p$G+
G}=C??Ry
*Z^w$
476E435559456755676B6745
l.{"!
MqXg=
=H}*e
4273446A
}`SB9Z
E<^hD
Label14
}bQya
<!-- Windows Vista -->
?e1Q+
H18^F`O2HJY1
5753767345674C2B465134
o5*GF
427342
yLO.e
ZK.c;I`;a
f0{o$y
TmQq|
4D51487A
5132397463476C7359585270623235535A57786865474630615739756330463064484A70596E56305A514253645735306157316C513239746347463061574A7062476C306555463064484A70596E56305A51424263334E6C62574A73655652706447786C51585230636D6C696458526C
Convert
*CwT&
57524D464F48762F2F2F38524279
!B*f0
3y(nO
574F77
_CorExeMain
[siw6
454577637254424546525177
J#v3
Dn2ii
K"K"K"K"K"K"K"K"K"K"4
4577444E
dd/MM/yyyy
System.Drawing
fbV7qde
Admin
' ORDER BY km
6izm]j
42686755494D38
Z>?H'
vkG,I?
StringFileInfo
466B54425468532F2F2F2F426864594369426E43
gOfiq
4751426E
56684832465A426D4646
get_SelectionStart
&Bzgi
Einstellungen
LegalTrademarks
vi:u5
D3mRf
0tj5H
466B723652594E47524D4A4F4E762B2F2F384A4631674E47524D4A4F4D2F2B2F2F38524242645945775152437839386B7942633477
H9aPB
b@OP7
4A4D676E6E
pVod^
4A4D673938
:uq9bAE
I(x@F
564768795A57466B
425A4B2B77484B684547494B
6659434A774554
4C5177
xj;*.
K"K"K"K"K"K"K"K"K"4
PBTt%*
K"K"K"K"K"K"K"6
<+Bn`
42424D484B7A38524255554C
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
Pg#II
6F42456B5545436745535051594B
11.0.0.0
$>kWq
44686772
C.1-5
;`:r-
Fs{6]
get_Chars
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
7\})\4
3System.Resources.Tools.StronglyTypedResourceBuilder
EB.Od
42754F61524D4946784D4A45513867475145
"ch9r
_?g \
AssemblyProductAttribute
44686772506867714D
*RRyv
~3-Y<O
Login
51524F51674943
o"7Pts
||||||T|TxTTTTT
GTz\!
=vV.s
1;Zvxw
T=gz&
OT^W
zV7sG
42462B
farbe
4D69716E57435959654655393258784653336B68706D73794B71383946565A44546A3861792B6544476463
445145
3651516B
16.0.0.0
PrintPreviewDialog
<$}i&
Magneto
ShutdownMode
4354666749
435545
466B54425468772F2F2F2F
InvokeMember
454467
k^ ;"
K"K"K"7
30385A342F6D552B584B324B667576436876715555702F513667396F5167747970397261323176344E7548637275486C75626E6E32306B64
VarFileInfo
435449454973
])uL-
674D6F48
4C2F2F2F38524253774A4878
\update.exe
ToolStripItemImageScaling
GInjl
6734534D514D4B
OaL0}
6749534451674948514D64
507342
455242485542
#[B_sp
1v_V!
h`wW$
(DVld
5238704E426C6768383432324A735236656966564E7664616E662B335A335A4754466345507A776C4A6A366148575A434B3158526D506A664F6C37624E494F4B556E574E6C554B73366F6D4A676F4F4D6B
5677556B
;%P&VDF
RuntimeHelpers
K"K"K"4
UlOYJ
'vNTE
425A45776B34502F2F2F2F77675242
Y dc\
RuntimeCompatibilityAttribute
424A5A4267
WinForms_RecursiveFormCreate
5163454C674237
456C446232317759584A68596D786C594445
466B544344682B2F2F2F2F43585542
-SU4vH
SK9T(E
ToolStripDropDownButton
QH\}I
Hauptuntersuchung:
D1O&}
r6]cwy
System
SettingsBase
_cEri9
HtM$r
456C44623278735A574E3061573975
add_Load
}UXW}
Wn}KD~Y
bnE?#s
425A457755726F
3i)42
gFR:`
#sE'3;
436743
684939456B6B47
!-}0s
3Re|i
EHc?R
+=9;=
51674E
4877454A
0bg!s
516648354E67494C49
)o=[5
5231707063464E30636D56686251425465584E305A573075535538755132397463484A6C63334E70623234
STAThreadAttribute
W}_`{
ToolStripDropDownItem
K"K"K"K"K"K"6
}GSO%_
ns2z/P
u0:x&
5555444C67
A"*BP_
34594B6C
FileSystemProxy
466B4E4B346B664353763546
W=^G_F
set_TabStop
get_CurrentDomain
5751303464762F2F2F774B4D
nd'XQ
MonthCalendar
467730727052454549453442
,JAVB
IDisposable
q}e'U
t*k9+
^~\ib}
6C67595853774847513034622F2F2F2F78384B4B2F59524242397A6B78454548334F545751303457762F2F2F7764304667
62476942464F67
357645647A50396D516D3345306833375531516D7855316A496247634F2F63384B3755
42424D47666751
5533567763484A6C63334E4A62475268633231426448527961574A31644755
445751487A
ygy1j
oz){X
ToolStripDropDownButton1.Image
DbAJ",
2A{E)
576745
303451502F2F2F796F5A4577635242305546
)F|wIEL
Msw!4
\t0't
4269596643524D464B38455743683454425375364251526847316B4759555542
.1:f;z
CQmAv
6742774A
TFk"(6>+
s>!M(
B}{H8
KTw6Y;E
!LsXNc
+7Iyd
67494342776343
r]7'gd3
^}G;D<UU_Z)(hD\+NezL2mk-c#.resources
r$w~#Z
uNVLZ7O.exe
454577522B42
CheckRemoteDebuggerPresent
425A4B2B38614B2B77594B2B6B6648
5A774270
333333338
\3}EG
30674E5149
FN.g&
eI@ru
*=5]T
42424D46666751
OdbcCommand
(Nt%d
[31Hm"`?
fI?3J
GetResourceString
fD}!!
Synchronized
ComboBox
B@t_
EndInit
4453654E4547526F6F4367
70304551
?v0^r
5835315A4453756B425134455952386E57515A68525145
VB^g]
W9sr
52425239496B79446942
47774F4D
qA<;U
=Rb|J
6F7743
7773484277674643
HLL(H%()$(
Microsoft.VisualBasic.ApplicationServices
set_FormBorderStyle
454943787354425468772F2F2F2F
1oekP,
M3oz&
7Lp!f
1H^XH
<!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
datenupdate
IDATx^
D.#RJ
Q|m:A
42735A494C386A
CIH$S
f%rc]9
$VMP$
-4\2!\
auch die Einstellung "'EnableWindowsFormsHighDpiAutoResizing" in der "app.config" auf "true" festgelegt werden. -->
7247593049
=v_Yg~
34594B33
b'?[Sx]
MyGroupCollectionAttribute
/{9s*
DefaultSettingValueAttribute
o|!''
445551487A
9e ug<0.
>Tv;I
&An+gBJ
(";n+
4A4D6736696F
kjeyJ
63774230
Kennzeichen:
#hs]\
8e;E0y
'3m{9
4x}Wb
4F51447A
?d%#7
b*8$J
b8bq]s,)aZ7NmDj [b}M*b-M"
r*i<2
;04o:
K"K"K"K"K"K"K"K"K"K"K"4
4C674272
4548334754595239785835307443426F54424467612F2F2F2F48776F72395164314667
3$7N&
||||||||||
Werkstatt
4354494C495A
Stream
444F51487A
StreamReader
KHD(+
396F4263514447
51Hg/
:ef}{N
qh4p $
uqr T
|=,'Y
nm]7p
set_IsSingleInstance
O%h?J
_}27f
gt=>u
yXI`?
{}HN:F_hyy
,gn,a
474A68454D4879365449507446
!O'Z%
xjkLP/
r Windows Forms-Anwendungen f
VS_VERSION_INFO
'NeOw*f-!4
Label13
FFE0#U#
674942675967
f@[#F
OUUYt
!d[Za
454577392B
ServerComputer
c]S,m
HttpWebRequest
ListBox1
2#Vn^
<K>|e
47796F
635A4454684B2F2F2F2F4669763347
MsgBox
D%cr8
j.C`l
6F464A566F4E42516C5944526B54425468472F2F2F2F435268644C516758457755344F662F2F2F786772396763714551596645354D67614B49
494867454943
TextBox4
GP5y%2
"CPcC
784A5A48515544
S=w\&
rDj$H
!U;vN
Property can only be set to Nothing
5232563056486C775A555A79623231495957356B624755
s)_X`
.|<CC
2mLYc
/Bdn?
ListBox
<PermissionSet ID="Custom" SameSite="site" Unrestricted="true" />
4777496B
<T2db
</windowsSettings>
454577597251784545525177
(:7P"j
\;.Gs
4267556B
e?]{dP
H1V'h
4278706243466B794478454648795354494F4E75
Ou<Tw
_Z$UO
p[<JpxoW
CallType
LHT"L
<65Zx
4A4D676E6C67
POCm_P
T~)b[v
qs3{'
f
47774D456A
464E356333526C6253355561484A6C59575270626D63
Label10
)3+r:v
9f-%
)q/0)
2F7955
454677634756755A
1jMfLI5*
-12Ho
w=ndd
,B8NZ>
add_SelectedIndexChanged
)/g%r]
Z;9YY/
436747
42485145
eicxd
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Bd?8J
42424D464B30304A525177
d-h#+
Sv>@rg'
O9V%V
+${h(}l
(gcw%
)Pc{Y;
7svf!g/
>_TTY
674948514D4945
594D43485542
5977426F
chten, ersetzen Sie den
set_AutoScaleDimensions
pnp(J
5A774247
7<hAf
wUR:z&
596D48776F544253764246676F5242694272
rEyp9
;Pw~^
My.Application
79566144
454A31626D6C6D645335565351427463324E76636D78705967425465584E305A5730
get_Black
673467
+XYZG
nnnnn
62674268
^rc<X:g8v
iR8gogi
)C~A4
Comments
(ro}6
TextBox
N(k<&zr
3Uoh1
62627949
<r^/Y
GroupBox2
m\xaE
o,skb
556E567564476C745A565235634756495957356B624755
6F4477
v4.0.30319
Graphics
>B.uR
b\WNd
46426C6267446A676F73
7r?_^}f
w01f*
$xpBX
_Gi~i
43674B
D:"S~
b}A%seD(
Ot8'wt
363151
d +>+
435457434333
bg#sk
Md}e.
X@v@-
f/V|k
dtrI.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
P4P"*S
68453543
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"
446342
2lc#o_k
o6rq{8{,
3)5NF
login
s=Klb
4F474376
</assembly>
V1M\@
682B427A7644326C594E2B6A722F62526D777A6E76522B6576773751696F4D71434E703237
</dependentAssembly>
42494D4944
436773524269434C
</trustInfo>
764445
}]r&nN
_,COg
y7seG
$2xd)
7P+*S
<!-- Windows 8 -->
446151487A
436773524253424D
)oSbv`
bu/:G&|Z
4A77434D42
2dv%[Zfu
d*Fe;
`Z1"p
FrameworkDisplayName
4243434F
r .NET Framework 4.6, die sich f
ERE+i]
4E705A533548546E66746637725447656655717162647A785A6A6E4D6A6E4C452F6665317061625A3672
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
System.Runtime.Versioning
zLdLP*?
BT7\A%M
get_FileName
Append
Q;2XuO
/b~f6
,tYBx
<eyro
lW<\#oL
System.Runtime.CompilerServices
/OG&d'
695661
454577515A44
59524F51674943
42424D4E4B31775243305551
hU(/xA
!UgW8
B/2Opl
%x3a9
CommonDialog
?~'iw
Motorr
clBel
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"4
GroupBox3
n}:AS$
|RO#nt%
677745
<Module>
!zN?>46Nu;
53585143
4D444268494E
eP}C`D
Y~'{W
~p*k4
000004b0
set_ShutdownStyle
?d1P7
62514274
@I~`w
qTFm{?VP
WindowsFormsApplicationBase
6B79423574
s1]WMrq
467752
v\5X(
System.Windows.Forms
`EO6{
B1oRh
ToolStripLabel1
bJ"X?z
N]%#{
425A45775134382F372F2F77
vF[h>
{z"Lu
6B333445
Jt?$B?
455A7962323142636D6469
56674268
get_Handle
4549466343
Button
set_RightToLeft
K"K"K"K"K"K"K"K"K"6
F6(09e
49467743
+dcQm
O_BT*8
l!Bz ^
GetTypeFromHandle
`r'}A^i)
b3*v7
42627751
>d==o$p;8
EYM-N
d?$@l2
*f?pQ
424267
K"K"K"K"K"K"K"K"4
-J*KHx-
'DsbI
uw=Z33
RichTextBox
zNWkZ)
453969616D566A64
$j--C
5l!.6
K-LLa.y,
rkirr
6A515836
764451
Default
"QT*%i "2
IDATW
og7#?v
42424D45666751
0{$G/x
FontStyle
Was wurde gemacht:
=1Wpm
<!-- Windows 10 -->
47684D454B3767624B2F6B594577517273
18o_C{
5258687064
XDmFU
7243424D4848776F54435468362F762F2F45516431
44514351
575376734358554A
wpz:D
$X6}66
52454645517030
445151487A
set_DisplayStyle
774379
16.10.0.0
45515566665A4D67
b8bq\]s\,)aZ7NmDj \[b}M\*b-M".resources
ConcatenateObject
427742
422B42
)kQ;/
6E52634D4B36734764514D
6E4D43
c9{]F
314A343051664542306F4367
6B7943794751
466B54424468
s3*Xu
4F5146
4A4D67653045
%DkL9
get_IsDisposed
set_ImageScaling
2ttjP$
S|dYuu
f)<uT
ToolStripDropDownButton2.Image
6749524F5245354351
Q,X.$
96(?f
'[.I'c
>d1V[
03PBe
42462B42
Concat
und f
77595249426F4845516749484255536551454F456E304443
sNx*km*)
Uk3&}
42795A584E66626D46745A514277636D397158323568625755
426646324E67457763524543
5A674276
get_SelectedItem
6830464851554F4651634F456A554943
K"K"K"K"3
1u`73F
<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
63774270
77496444675967
+~B)lI
43493049
NBU-/G
4457674578
@DR_Q
bnx'&Qgi
666749
D'"*H(
~<._BFG'N
7Jue)
G@WlEUI?
6B79444C5367
596D45515967595145
MaB+-
x<M*y
</application>
7__;;777767
i0wH<
w4_Nf
IFz>"
6C674275
6242776C3049
>Xe-Enx?R
U4g\'<
684643
oy'0J
Utils
.\ <e
yd.\e
00~)m
C\r)+~
U&Oqs
E<qn]
536F524243
596D47424D464B37345743683054425375334251526848785A5A426D4646
324566576C6B4759555542
set_ImageTransparentColor
54327A797054776A7A72467A6C3653
6q]jo
4778454D4551645945516C5A6B32455243335144
Vw %|
6B79437450
aVv9+
upbutton
6B7942766267
425A4577553445762F2F2F786F723967637147684D464F
SR( u
At$TqW-
5551445867465149
774D4549
!+x-;
ListControl
/G6_?
68495445
N/.\mn7
heyOmgl
776749
425A45775172677834722B536F574577635242305546
6F6743
0!O{3
4D494B77
System.Data
T[|C$y
ShowDialog
gGe34
w$#~1Fx
774D67
52323531782B3643664665446C
M_@5~
DebuggingModes
{f5c{/
[XEvE/
"""""(333333338
zlu2|
z#FcTq
Datum
57513034
466F42
%^XhPP%A
52464C586B2B33446B4E776E4D714C54685A4A42566852626643704D6F6C4C786A5952476F53796545625A486A45494E425155356A667265306C6379394E766571396B76786D42705859395861773738356D466A2F4D43434D3259756561776E57796153495A522B45616D56526F4874765A74556B615A6379366C66764B725674756763
42426E5150
F>O+Ck
+G]Z'c>
61514276
2s"?Pk
556D567A623356795932564E595735685A325679
6151444C67
*>Y0W
F&<nC
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
set_MinimumSize
WM#|j,nQ
344644675268487A315A426D4646
Beenden
System.Data.Odbc
5751303450762F2F2F77
<applicationRequestMinimum>
`CV{b=
g?mF>
\ SLe
K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"K"5
,yM`e
]p3W&S?
|fWrnY
<defaultAssemblyRequest permissionSetReference="Custom" />
52666749
776644673067
;Odi+`
2t94?
426959714B346F
674A4746705A4D
%v%,%
YRZ2I
set_Location
514250
Dq`xZ
31674434
DialogResult
a=6`M4i
My.Forms
Q.MVb
r Windows
ProductName
}'3'l#o
PictureBox
gW7Bg;
get_InnerException
^4C>`
?3wa%P
Kilometerstand:
9b>ic21
?$(sr
0eBUwr
FileDialog
425A4B2B77584378454748322B54494A4B54
%#>v`
6B7942455077
ReferenceEquals
34464346674D4551596738
k-{O(
ObjectFlowControl
81a</
51344A45
45583445
GetExportedTypes
nl$>n/;Kk
4339424F2F2B
$\@L+
Q:=)NLl
496F45
466B7237424545645345
j]s^Y
StringBuilder
57524D464B35495242794342
%Rm5+m
L;\Y9h
4Gi`r
a\Nt#e
3_c5e
I\MHC}
',/cqV
get_Message
U6l2C3
Kl8f}t
/GaV?
464D6574697769587452394B4F73563244574A46675638705A32317136363450464B33334D526A4477496A7A55316D653544324B385153334A4E304B697855316D66386C50596A6164464D656655507A3534766D6875506D304A4E4A7956697045754A6632
493042
Xm%A|f
!This program cannot be run in DOS mode.
OtXt_
ZIc`P
4F4F6D6E5A61686D767642734A31386B72534D797167562B7A6D2F70616A4D396D4F766267464E30733661784A724F6D6D36476D4B336F6F
>_#Rv"
Werkstatt.Resources
K+p]UMnX
zy+}c6
)C'"\
4iY>:
rLD_3NA
>fDg"
WH1!'
5677496B
i*Gsm
BeendenToolStripMenuItem
776764425167494442
BV/3Mm
FileDescription
492B6465666F7A69454A55624F6F54527A345977454C356D376C6978466E4D76553556584A434B6B6C754831554C71586250497A55347970526A765231725637484D343767474473554D44452F562F6D2F372B5634694E674D6B772F
427357494C5132
PrintPageEventArgs
6B7943307577
r-{<:
5944494C38
75636E4E795977
424267436B4B
V2r211q
"~2<|{
rR\();
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | Compile Time | Import Hash |
|---|---|---|---|---|---|---|
| 0x00400000 | 0x000c600a | 0x00000000 | 0x000cd452 | 4.0 | 2082-09-15 13:41:50 | f34d5f2d4577ed6d9ceec516c1f5a744 |
Version Infos
| Translation | 0x0000 0x04b0 |
|---|---|
| Comments | |
| CompanyName | |
| FileDescription | Werkstatt |
| FileVersion | 1.2.0.0 |
| InternalName | uNVLZ7O.exe |
| LegalCopyright | Copyright รยฉ Trust123 2021 |
| LegalTrademarks | |
| OriginalFilename | uNVLZ7O.exe |
| ProductName | Werkstatt |
| ProductVersion | 1.2.0.0 |
| Assembly Version | 1.2.0.0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| TFk"(6>+ | 0x00000400 | 0x00002000 | 0x00014ba4 | 0x00014c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 |
| .text | 0x00015000 | 0x00018000 | 0x000a8f18 | 0x000a9000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.94 |
| .rsrc | 0x000be000 | 0x000c2000 | 0x00001188 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.05 |
| .reloc | 0x000bf200 | 0x000c4000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.09 |
| 0x000bf400 | 0x000c6000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.14 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x000c20a0 | 0x00000324 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.35 | None |
| RT_MANIFEST | 0x000c23c4 | 0x00000dbf | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.05 | None |
Imports
| Name | Address |
|---|---|
| _CorExeMain | 0x4c6000 |
Assembly Information
| Name | uNVLZ7O |
|---|---|
| Version | 1.2.0.0 |
Assembly References
| Name | Version |
|---|---|
| Microsoft.VisualBasic | 10.0.0.0 |
| mscorlib | 4.0.0.0 |
| System.Drawing | 4.0.0.0 |
| System | 4.0.0.0 |
| System.Windows.Forms | 4.0.0.0 |
| System.Data | 4.0.0.0 |
| System | 2.0.0.0 |
Custom Attributes
| Type | Name | Value |
|---|---|---|
| Property | [System]System.ComponentModel.Design.HelpKeywordAttribute | My.Comput |
| Assembly | [mscorlib]System.Reflection.AssemblyCopyrightAttribute | Copyright \xc2\xa9 Trust123 20 |
| Assembly | [mscorlib]System.Reflection.AssemblyFileVersionAttribute | 1.2.0 |
| Assembly | [mscorlib]System.Runtime.InteropServices.GuidAttribute | 6d62bb4f-2a29-4dae-8512-733e7b14da |
| Assembly | [mscorlib]System.Reflection.AssemblyTitleAttribute | Werksta |
| Assembly | [mscorlib]System.Reflection.AssemblyProductAttribute | Werksta |
| Property | [System]System.ComponentModel.Design.HelpKeywordAttribute | My.Applicati |
| Property | [System]System.ComponentModel.Design.HelpKeywordAttribute | My.Us |
| Property | [System]System.Configuration.DefaultSettingValueAttribute | https://www.dropbox.com/s/mg7204nq9bccsrq/update.txt?dl |
| Property | [System]System.Configuration.DefaultSettingValueAttribute | https://unity-wow.tk/download/Werkstatt.e |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| Property | [System]System.Configuration.DefaultSettingValueAttribute | https://unity-wow.tk/download/update.b |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| Property | [System]System.ComponentModel.Design.HelpKeywordAttribute | My.Settin |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ComboBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ComboBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ComboBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | OpenFileDialo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | GroupBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ListBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | GroupBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ListBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ComboBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | RichTextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | MonthCalenda |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | PictureBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | GroupBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ListBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Butto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ToolStri |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ToolStripDropDownButto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | EinstellungenToolStripMenuIt |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | BeendenToolStripMenuIt |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ListBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | PrintPreviewDialo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | PrintDocumen |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ToolStripMenuIte |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | ToolStripDropDownButto |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | AnlegenToolStripMenuIt |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | \xc3\x84ndernToolStripMenuIt |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | TextBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Labe |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | Label |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | PictureBo |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | uplab |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | upbutt |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | BackgroundWorke |
| FieldDef | [mscorlib]System.Runtime.CompilerServices.AccessedThroughPropertyAttribute | uplabeln |
Type References
| Assembly | Type Name |
|---|---|
| Microsoft.VisualBasic | Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase |
| Microsoft.VisualBasic | Microsoft.VisualBasic.Devices.Computer |
| mscorlib | System.Object |
| Microsoft.VisualBasic | Microsoft.VisualBasic.ApplicationServices.User |
| mscorlib | System.Collections.Hashtable |
| mscorlib | System.Type |
| mscorlib | System.RuntimeTypeHandle |
| mscorlib | System.InvalidOperationException |
| mscorlib | System.Exception |
| mscorlib | System.ArgumentException |
| mscorlib | System.Resources.ResourceManager |
| mscorlib | System.Globalization.CultureInfo |
| System.Drawing | System.Drawing.Bitmap |
| mscorlib | System.Reflection.Assembly |
| System | System.Configuration.ApplicationSettingsBase |
| mscorlib | System.EventArgs |
| System | System.Configuration.SettingsBase |
| Microsoft.VisualBasic | Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler |
| System.Windows.Forms | System.Windows.Forms.Form |
| System | System.ComponentModel.IContainer |
| System.Windows.Forms | System.Windows.Forms.Button |
| System.Windows.Forms | System.Windows.Forms.Label |
| System.Windows.Forms | System.Windows.Forms.ComboBox |
| mscorlib | System.EventHandler |
| mscorlib | System.IDisposable |
| System | System.ComponentModel.ComponentResourceManager |
| System.Windows.Forms | System.Windows.Forms.Control |
| System.Drawing | System.Drawing.Color |
| System.Windows.Forms | System.Windows.Forms.ButtonBase |
| System.Drawing | System.Drawing.Point |
| System.Drawing | System.Drawing.Size |
| System.Windows.Forms | System.Windows.Forms.RightToLeft |
| System.Drawing | System.Drawing.Font |
| System.Drawing | System.Drawing.FontStyle |
| System.Drawing | System.Drawing.GraphicsUnit |
| System.Windows.Forms | System.Windows.Forms.ListControl |
| System.Windows.Forms | System.Windows.Forms.ContainerControl |
| System.Drawing | System.Drawing.SizeF |
| System.Windows.Forms | System.Windows.Forms.AutoScaleMode |
| System.Windows.Forms | System.Windows.Forms.Control/ControlCollection |
| System.Windows.Forms | System.Windows.Forms.FormBorderStyle |
| System.Drawing | System.Drawing.Icon |
| System.Data | System.Data.Odbc.OdbcConnection |
| System.Data | System.Data.Odbc.OdbcCommand |
| System.Data | System.Data.Odbc.OdbcDataReader |
| System.Windows.Forms | System.Windows.Forms.ComboBox/ObjectCollection |
| Microsoft.VisualBasic | Microsoft.VisualBasic.MsgBoxResult |
| Microsoft.VisualBasic | Microsoft.VisualBasic.MsgBoxStyle |
| System.Windows.Forms | System.Windows.Forms.TextBox |
| System.Windows.Forms | System.Windows.Forms.OpenFileDialog |
| System.Windows.Forms | System.Windows.Forms.FileDialog |
| System.Windows.Forms | System.Windows.Forms.DialogResult |
| System.Windows.Forms | System.Windows.Forms.CommonDialog |
| System.Windows.Forms | System.Windows.Forms.GroupBox |
| System.Windows.Forms | System.Windows.Forms.ListBox |
| System.Windows.Forms | System.Windows.Forms.RichTextBox |
| System.Windows.Forms | System.Windows.Forms.MonthCalendar |
| System.Windows.Forms | System.Windows.Forms.PictureBox |
| System.Windows.Forms | System.Windows.Forms.ToolStrip |
| System.Windows.Forms | System.Windows.Forms.ToolStripDropDownButton |
| System.Windows.Forms | System.Windows.Forms.ToolStripMenuItem |
| System.Windows.Forms | System.Windows.Forms.PrintPreviewDialog |
| System.Drawing | System.Drawing.Printing.PrintDocument |
| System.Windows.Forms | System.Windows.Forms.ToolStripLabel |
| System.Windows.Forms | System.Windows.Forms.ToolStripButton |
| System | System.ComponentModel.BackgroundWorker |
| System.Drawing | System.Drawing.Printing.PrintPageEventArgs |
| System.Windows.Forms | System.Windows.Forms.ToolStripItem |
| System.Windows.Forms | System.Windows.Forms.ListBox/ObjectCollection |
| mscorlib | System.DateTime |
| System.Drawing | System.Drawing.Graphics |
| System.Drawing | System.Drawing.Brush |
| System.Drawing | System.Drawing.Image |
| System | System.Net.WebRequest |
| System | System.Net.WebResponse |
| System | System.Net.HttpWebRequest |
| mscorlib | System.IO.Stream |
| System | System.Net.HttpWebResponse |
| mscorlib | System.IO.StreamReader |
| Microsoft.VisualBasic | Microsoft.VisualBasic.MyServices.FileSystemProxy |
| Microsoft.VisualBasic | Microsoft.VisualBasic.Devices.ServerComputer |
| Microsoft.VisualBasic | Microsoft.VisualBasic.Devices.Network |
| System | System.Diagnostics.Process |
| System | System.ComponentModel.ISupportInitialize |
| System.Windows.Forms | System.Windows.Forms.ToolStripItemCollection |
| System.Windows.Forms | System.Windows.Forms.ToolStripItemDisplayStyle |
| System.Windows.Forms | System.Windows.Forms.ToolStripDropDownItem |
| System.Windows.Forms | System.Windows.Forms.ToolStripItemImageScaling |
| System.Windows.Forms | System.Windows.Forms.PictureBoxSizeMode |
| mscorlib | System.Reflection.MethodInfo |
| mscorlib | System.Reflection.MethodBase |
| mscorlib | System.AppDomain |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CallType |
| mscorlib | System.Text.StringBuilder |
| System.Drawing | System.Drawing.Printing.PrintPageEventHandler |
| mscorlib | System.Runtime.CompilerServices.CompilationRelaxationsAttribute |
| mscorlib | System.Runtime.CompilerServices.RuntimeCompatibilityAttribute |
| mscorlib | System.Diagnostics.DebuggableAttribute |
| mscorlib | System.Diagnostics.DebuggableAttribute/DebuggingModes |
| mscorlib | System.Reflection.AssemblyTitleAttribute |
| mscorlib | System.Reflection.AssemblyDescriptionAttribute |
| mscorlib | System.Reflection.AssemblyCompanyAttribute |
| mscorlib | System.Reflection.AssemblyProductAttribute |
| mscorlib | System.Reflection.AssemblyCopyrightAttribute |
| mscorlib | System.Reflection.AssemblyTrademarkAttribute |
| mscorlib | System.Runtime.InteropServices.ComVisibleAttribute |
| mscorlib | System.Runtime.InteropServices.GuidAttribute |
| mscorlib | System.Reflection.AssemblyFileVersionAttribute |
| mscorlib | System.Runtime.Versioning.TargetFrameworkAttribute |
| System | System.CodeDom.Compiler.GeneratedCodeAttribute |
| System | System.ComponentModel.EditorBrowsableAttribute |
| System | System.ComponentModel.EditorBrowsableState |
| mscorlib | System.STAThreadAttribute |
| mscorlib | System.Diagnostics.DebuggerHiddenAttribute |
| mscorlib | System.Diagnostics.DebuggerStepThroughAttribute |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute |
| Microsoft.VisualBasic | Microsoft.VisualBasic.HideModuleNameAttribute |
| System | System.ComponentModel.Design.HelpKeywordAttribute |
| Microsoft.VisualBasic | Microsoft.VisualBasic.MyGroupCollectionAttribute |
| mscorlib | System.ThreadStaticAttribute |
| mscorlib | System.Runtime.CompilerServices.CompilerGeneratedAttribute |
| mscorlib | System.Diagnostics.DebuggerNonUserCodeAttribute |
| System | System.Configuration.UserScopedSettingAttribute |
| System | System.Configuration.DefaultSettingValueAttribute |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute |
| mscorlib | System.Diagnostics.DebuggerBrowsableAttribute |
| mscorlib | System.Diagnostics.DebuggerBrowsableState |
| mscorlib | System.Runtime.CompilerServices.AccessedThroughPropertyAttribute |
| mscorlib | System.Reflection.Module |
| mscorlib | System.String |
| mscorlib | System.Runtime.InteropServices.Marshal |
| mscorlib | System.IntPtr |
| mscorlib | System.Environment |
| System | System.Diagnostics.Process |
| mscorlib | System.UInt32 |
| Microsoft.VisualBasic | Microsoft.VisualBasic.ApplicationServices.AuthenticationMode |
| Microsoft.VisualBasic | Microsoft.VisualBasic.ApplicationServices.ShutdownMode |
| System.Windows.Forms | System.Windows.Forms.Application |
| mscorlib | System.Reflection.TargetInvocationException |
| mscorlib | System.Activator |
| System | System.ComponentModel.Component |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.Utils |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.ProjectData |
| mscorlib | System.Runtime.CompilerServices.RuntimeHelpers |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.ObjectFlowControl |
| mscorlib | System.Threading.Monitor |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.Conversions |
| System.Drawing | System.Drawing.SystemColors |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.Operators |
| Microsoft.VisualBasic | Microsoft.VisualBasic.Interaction |
| mscorlib | System.Int32 |
| mscorlib | System.Convert |
| System.Drawing | System.Drawing.Brushes |
| Microsoft.VisualBasic | Microsoft.VisualBasic.CompilerServices.Versioned |
| Microsoft.VisualBasic | Microsoft.VisualBasic.Strings |
| Credential Access | Defense Evasion | Discovery | Command and Control | Execution | Privilege Escalation |
|
|
|
|
|
|
|---|
Usage
Processing ( 9.44 seconds )
- 9.121 CAPE
- 0.299 BehaviorAnalysis
- 0.01 NetworkAnalysis
- 0.007 Heatmap
- 0.003 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.01 antiav_detectreg
- 0.005 infostealer_ftp
- 0.005 territorial_disputes_sigs
- 0.003 antianalysis_detectfile
- 0.003 antiav_detectfile
- 0.003 infostealer_im
- 0.003 masquerade_process_name
- 0.003 ransomware_files
- 0.002 antianalysis_detectreg
- 0.002 antivm_vbox_files
- 0.002 infostealer_bitcoin
- 0.002 infostealer_mail
- 0.002 ransomware_extensions
- 0.001 antidebug_devices
- 0.001 antivm_generic_diskreg
- 0.001 antivm_parallels_keys
- 0.001 antivm_vbox_keys
- 0.001 antivm_vmware_keys
- 0.001 antivm_xen_keys
- 0.001 ketrican_regkeys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 darkcomet_regkeys
- 0.001 poullight_files
- 0.001 revil_mutexes
- 0.001 ursnif_behavior
Reporting ( 0.10 seconds )
- 0.049 ReportHTML
- 0.024 LiteReport
- 0.022 JsonDump
- 0.005 MITRE_TTPS
- 0.003 PCAP2CERT
Signatures
Checks available memory
SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: BL 216238068 DOCS.exe, PID 6568
Guard pages use detected - possible anti-debugging.
Deletes files from disk
DeletedFile: C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
Resumed a thread in another process
thread_resumed: Process bl 216238068 docs.exe with process ID 6568 resumed a thread in another process with the process ID 6568
thread_resumed: Process bl 216238068 docs.exe with process ID 6320 resumed a thread in another process with the process ID 6320
Reads data out of its own binary image
self_read: process: BL 216238068 DOCS.exe, pid: 6568, offset: 0x00000000, length: 0x000bf600
A process created a hidden window
process: BL 216238068 DOCS.exe -> schtasks.exe
The binary contains an unknown PE section name indicative of packing
unknown section: {'name': 'TFk"(6>+', 'raw_address': '0x00000400', 'virtual_address': '0x00002000', 'virtual_size': '0x00014ba4', 'size_of_data': '0x00014c00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '8.00'}
unknown section: {'name': '', 'raw_address': '0x000bf400', 'virtual_address': '0x000c6000', 'virtual_size': '0x00000010', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x60000020', 'entropy': '0.14'}
The binary likely contains encrypted or compressed data
section: {'name': 'TFk"(6>+', 'raw_address': '0x00000400', 'virtual_address': '0x00002000', 'virtual_size': '0x00014ba4', 'size_of_data': '0x00014c00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '8.00'}
section: {'name': '.text', 'raw_address': '0x00015000', 'virtual_address': '0x00018000', 'virtual_size': '0x000a8f18', 'size_of_data': '0x000a9000', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x60000020', 'entropy': '6.94'}
Checks for presence of debugger via IsDebuggerPresent
Creates RWX memory
Uses Windows utilities for basic functionality
command: "C:\Windows\system32\sc.exe" start pushtoinstall registration
Uses Windows utilities to create a scheduled task
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFinHcUy" /XML "C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp"
command: schtasks.exe /Create /TN "Updates\WFinHcUy" /XML "C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp"
Touches a file containing cookies, possibly for information gathering
Attempts to schedule tasks using an XML files that doesn't have .xml extensions
Likely virus infection of existing binary
file: c:\users\user\appdata\local\temp\bl 216238068 docs.exe
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 6568 triggered the Yara rule 'AgentTeslaV3' with data '['get_kbok', 'get_CHoo', 'set_passwordIsSet', 'get_enableLog', 't\x00o\x00r\x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00', 'l\x00o\x00g\x00i\x00n\x00s\x00', 'c\x00r\x00e\x00d\x00e\x00n\x00t\x00i\x00a\x00l\x00', 'set_Lenght', 'get_Keys', 'set_AllowAutoRedirect', 'set_UseShellExecute', 'set_IsBodyHtml', 'set_RedirectStandardOutput', 'get_Clipboard', 'get_Keyboard', 'get_Password', 'get_CtrlKeyDown', 'get_ShiftKeyDown', 'get_AltKeyDown']'
Hit: PID 6568 triggered the Yara rule 'AgentTeslaXor' with data '['{ 06 91 06 61 20 AA 00 00 00 61 D2 9C 06 17 58 0A 06 7E 98 01 00 04 8E 69 FE 04 2D D9 2A }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Modifies Windows System files (System32 / SysWOW64)
ModifiedFile: C:\Windows\System32\Tasks\Updates\WFinHcUy
Deletes executed files from disk
file: C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
Uses suspicious command line tools or Windows utilities
command: "C:\Windows\system32\sc.exe" start pushtoinstall registration
Screenshots
No screenshots available.Session Playback
No playback available.
Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe.config
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll.aux
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\uNVLZ7O\*
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\dbbfe4100fa444758f5b90b58d6b6cd2\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\dbbfe4100fa444758f5b90b58d6b6cd2\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\System32\windows.storage.dll
\Device\SrpDevice
C:\Windows\System32\WinTypes.dll
C:\Users\user\AppData\Local\Temp\CRYPTSP.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Users\user\AppData\Local\Temp\winnlsres.dll
C:\Windows\System32\winnlsres.dll
C:\Windows\System32\en-US\winnlsres.dll.mui
C:\Windows\sysnative\en-US\winnlsres.dll.mui
C:\Windows\system32
C:\Windows
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies
C:\Windows\System32\propsys.dll
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe\
C:\Users\user\AppData\Local\Temp\
C:\Users\user\AppData\Local\
C:\Users\user\AppData\
C:\Users\user\
C:\Users\
C:
\??\MountPointManager
\??\Volume{70ce53cd-0000-0000-0000-500600000000}
C:\Users\user\AppData\Roaming\Werkstatt\BL_216238068_DOCS.exe_Url_2askarajk5mpvxsv2g1dv5tcosisolu5\1.2.0.0\user.config
C:\Users\user\AppData\Local\Werkstatt\BL_216238068_DOCS.exe_Url_2askarajk5mpvxsv2g1dv5tcosisolu5\1.2.0.0\user.config
C:\Users\user\AppData\Local\Temp\DWrite.dll
C:\Windows\System32\DWrite.dll
C:\Windows\WinSxS\SystemResources\gdiplus.dll.mun
C:\Windows\System32\msctf.dll
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIACODE.TTF
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIACODEITALIC.TTF
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIAMONO.TTF
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIAMONOITALIC.TTF
C:\Windows\Fonts\BAHNSCHRIFT.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\cambria.ttc
C:\Windows\Fonts\cambriai.ttf
C:\Windows\Fonts\cambriab.ttf
C:\Windows\Fonts\cambriaz.ttf
C:\Windows\Fonts\Candara.ttf
C:\Windows\Fonts\Candaral.ttf
C:\Windows\Fonts\Candarai.ttf
C:\Windows\Fonts\CANDARALI.TTF
C:\Windows\Fonts\Candarab.ttf
C:\Windows\Fonts\Candaraz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comici.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\comicz.ttf
C:\Windows\Fonts\constan.ttf
C:\Windows\Fonts\constani.ttf
C:\Windows\Fonts\constanb.ttf
C:\Windows\Fonts\constanz.ttf
C:\Windows\Fonts\corbel.ttf
C:\Windows\Fonts\corbell.ttf
C:\Windows\Fonts\corbeli.ttf
C:\Windows\Fonts\corbelli.ttf
C:\Windows\Fonts\corbelb.ttf
C:\Windows\Fonts\corbelz.ttf
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\gadugi.ttf
C:\Windows\Fonts\gadugib.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\Inkfree.ttf
C:\Windows\Fonts\javatext.ttf
C:\Windows\Fonts\LeelawUI.ttf
C:\Windows\Fonts\LeelUIsl.ttf
C:\Windows\Fonts\LeelaUIb.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunsl.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjhl.ttc
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\msyhl.ttc
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\mmrtext.ttf
C:\Windows\Fonts\mmrtextb.ttf
C:\Windows\Fonts\Nirmala.ttf
C:\Windows\Fonts\NirmalaS.ttf
C:\Windows\Fonts\NirmalaB.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\SANSSERIFCOLLECTION.TTF
C:\Windows\Fonts\segmdl2.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\seguihis.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\SegUIVar.ttf
C:\Windows\Fonts\SitkaVF.ttf
C:\Windows\Fonts\SITKAVF-ITALIC.TTF
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LEELAWAD.TTF
C:\Windows\Fonts\LEELAWDB.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\MSUIGHUR.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\MTEXTRA.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\holomdl2.ttf
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\staticcache.dat
C:\Users\user\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\riched20.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\sysnative\en-US\tzres.dll.mui
C:\Windows\System32\en\tzres.dll.mui
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources\uNVLZ7O.resources.exe
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources.exe
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources\uNVLZ7O.resources.exe
C:\Windows\Fonts\seguibl.ttf
C:\Windows\Fonts\seguibli.ttf
C:\Windows\System32\userenv.dll
C:\Windows\Temp
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Windows\System32\MsMpLics.dll
C:\Windows\System32\kernel32.dll
C:\ProgramData
C:\Windows\System32\gpapi.dll
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\Windows\System32\advapi32.dll
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr.dll
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr\oxwvjJUYVtGAcSOHISAHUQOmmWRr.dll
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr.exe
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr\oxwvjJUYVtGAcSOHISAHUQOmmWRr.exe
C:\Users\user\AppData\Roaming\WFinHcUy.exe
C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
C:\Users\user\AppData\Local\Temp\CFGMGR32.dll
C:\Windows\System32\cfgmgr32.dll
\??\PhysicalDrive0
C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\Tasks\Updates
C:\Windows\System32\Tasks\Updates\WFinHcUy
C:\Windows\System32\Tasks\Updates\
C:\Windows\assembly\NativeImages_v4.0.30319_32\rqdANvqSvcwa9e7a0fe#\*
C:\Windows\System32\sxs.dll
C:\Windows\SysWOW64\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\*
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.INI
C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\CRYPTSP.dll
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odlsent
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odlgz
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\telemetry-dll-ramp-value.txt
C:\Program Files (x86)
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealth.json
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.odl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.odl
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe.config
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll.aux
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\uNVLZ7O\*
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\dbbfe4100fa444758f5b90b58d6b6cd2\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\dbbfe4100fa444758f5b90b58d6b6cd2\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\System32\windows.storage.dll
\Device\SrpDevice
C:\Windows\System32\WinTypes.dll
C:\Users\user\AppData\Local\Temp\CRYPTSP.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Users\user\AppData\Local\Temp\winnlsres.dll
C:\Windows\System32\winnlsres.dll
C:\Windows\System32\en-US\winnlsres.dll.mui
C:\Windows\sysnative\en-US\winnlsres.dll.mui
C:\Windows\system32
C:\Windows
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies
C:\Windows\System32\propsys.dll
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\BL 216238068 DOCS.exe\
C:\Users\user\AppData\Local\Temp\
C:\Users\user\AppData\Local\
C:\Users\user\AppData\
C:\Users\user\
C:\Users\
C:
\??\MountPointManager
\??\Volume{70ce53cd-0000-0000-0000-500600000000}
C:\Users\user\AppData\Roaming\Werkstatt\BL_216238068_DOCS.exe_Url_2askarajk5mpvxsv2g1dv5tcosisolu5\1.2.0.0\user.config
C:\Users\user\AppData\Local\Werkstatt\BL_216238068_DOCS.exe_Url_2askarajk5mpvxsv2g1dv5tcosisolu5\1.2.0.0\user.config
C:\Users\user\AppData\Local\Temp\DWrite.dll
C:\Windows\System32\DWrite.dll
C:\Windows\WinSxS\SystemResources\gdiplus.dll.mun
C:\Windows\System32\msctf.dll
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIACODE.TTF
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIACODEITALIC.TTF
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIAMONO.TTF
C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.WINDOWSTERMINAL_1.18.3181.0_X64__8WEKYB3D8BBWE\CASCADIAMONOITALIC.TTF
C:\Windows\Fonts\BAHNSCHRIFT.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\cambria.ttc
C:\Windows\Fonts\cambriai.ttf
C:\Windows\Fonts\cambriab.ttf
C:\Windows\Fonts\cambriaz.ttf
C:\Windows\Fonts\Candara.ttf
C:\Windows\Fonts\Candaral.ttf
C:\Windows\Fonts\Candarai.ttf
C:\Windows\Fonts\CANDARALI.TTF
C:\Windows\Fonts\Candarab.ttf
C:\Windows\Fonts\Candaraz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comici.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\comicz.ttf
C:\Windows\Fonts\constan.ttf
C:\Windows\Fonts\constani.ttf
C:\Windows\Fonts\constanb.ttf
C:\Windows\Fonts\constanz.ttf
C:\Windows\Fonts\corbel.ttf
C:\Windows\Fonts\corbell.ttf
C:\Windows\Fonts\corbeli.ttf
C:\Windows\Fonts\corbelli.ttf
C:\Windows\Fonts\corbelb.ttf
C:\Windows\Fonts\corbelz.ttf
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\gadugi.ttf
C:\Windows\Fonts\gadugib.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\Inkfree.ttf
C:\Windows\Fonts\javatext.ttf
C:\Windows\Fonts\LeelawUI.ttf
C:\Windows\Fonts\LeelUIsl.ttf
C:\Windows\Fonts\LeelaUIb.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunsl.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjhl.ttc
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\msyhl.ttc
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\mmrtext.ttf
C:\Windows\Fonts\mmrtextb.ttf
C:\Windows\Fonts\Nirmala.ttf
C:\Windows\Fonts\NirmalaS.ttf
C:\Windows\Fonts\NirmalaB.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\SANSSERIFCOLLECTION.TTF
C:\Windows\Fonts\segmdl2.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\seguihis.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\SegUIVar.ttf
C:\Windows\Fonts\SitkaVF.ttf
C:\Windows\Fonts\SITKAVF-ITALIC.TTF
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LEELAWAD.TTF
C:\Windows\Fonts\LEELAWDB.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\MSUIGHUR.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\MTEXTRA.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\holomdl2.ttf
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\staticcache.dat
C:\Users\user\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\riched20.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\sysnative\en-US\tzres.dll.mui
C:\Windows\System32\en\tzres.dll.mui
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\uNVLZ7O.resources\uNVLZ7O.resources.exe
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources\uNVLZ7O.resources.dll
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources.exe
C:\Users\user\AppData\Local\Temp\en\uNVLZ7O.resources\uNVLZ7O.resources.exe
C:\Windows\Fonts\seguibl.ttf
C:\Windows\Fonts\seguibli.ttf
C:\Windows\System32\userenv.dll
C:\Windows\Temp
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Windows\System32\MsMpLics.dll
C:\Windows\System32\kernel32.dll
C:\ProgramData
C:\Windows\System32\gpapi.dll
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\Windows\System32\advapi32.dll
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.dll
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\en\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources\\x662f\x6c0fZo ceXC\x6210\x53f8gM.resources.exe
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr.dll
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr\oxwvjJUYVtGAcSOHISAHUQOmmWRr.dll
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr.exe
C:\Users\user\AppData\Local\Temp\oxwvjJUYVtGAcSOHISAHUQOmmWRr\oxwvjJUYVtGAcSOHISAHUQOmmWRr.exe
C:\Users\user\AppData\Roaming\WFinHcUy.exe
C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
C:\Users\user\AppData\Local\Temp\CFGMGR32.dll
C:\Windows\System32\cfgmgr32.dll
\??\PhysicalDrive0
C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\Tasks\Updates
C:\Windows\System32\Tasks\Updates\WFinHcUy
C:\Windows\System32\Tasks\Updates\
C:\Windows\assembly\NativeImages_v4.0.30319_32\rqdANvqSvcwa9e7a0fe#\*
C:\Windows\System32\sxs.dll
C:\Windows\SysWOW64\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\*
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.INI
C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\CRYPTSP.dll
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odlsent
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odlgz
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\telemetry-dll-ramp-value.txt
C:\Program Files (x86)
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealth.json
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.odl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.odl
C:\Users\user\AppData\Roaming\WFinHcUy.exe
C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
C:\Windows\System32\Tasks\Updates\WFinHcUy
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.odl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.odl
C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
C:\Windows\System32\Tasks\Updates\WFinHcUy
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.odl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.odl
C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.1940.1.aodl
C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-12-10.0040.580.1.aodl
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AllowPotentiallyInsecureAutoNgenBehaviors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000604xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\ZoneMap\Ranges\
HKEY_CURRENT_USER\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ja-JP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ja-JP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_CURRENT_USER\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_CURRENT_USER\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_CURRENT_USER\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_CURRENT_USER\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CURRENT_USER\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_CURRENT_USER\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CURRENT_USER\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Magneto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2527171340-3306644326-1278290521-1001\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|BL 216238068 DOCS.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2527171340-3306644326-1278290521-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\MpEngine
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\MpEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_CURRENT_USER\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowFullDomainLiterals
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowFullDomainLiterals
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.FinishProxyTunnelConnectionEarly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\FinishProxyTunnelConnectionEarly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowNewLineInFtpCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowNewLineInFtpCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_CURRENT_USER\Software\Classes\AppID\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\Software\Classes\WinMgmts
HKEY_CURRENT_USER\Software\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TypeLibIndex
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Microsoft\OneDrive
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\FileCoAuthTelemetryRampStatus
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905E63B6-C1BF-494E-B29C-65B732D3D21A}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive
HKEY_LOCAL_MACHINE\Software\Microsoft\OneDrive
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OneDrive\CurrentVersionPath
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\AppID\FileCoAuth.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\FileCoAuth.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\MainAccount
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserFolder
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\cid
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserEmail
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Business
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\SharePointOnPrem
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRun
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EdpManaged
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\RootAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\TenantAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\HasMadeFirstUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\IsUpgradeAvailable
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\CrashDetectionKey
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ForceLogUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EnableADALForSilentBusinessConfig
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastKnownCloudFilesEnabled
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRunSignInOrigin
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ExpressSignInCompletedState
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LatestSignInStack
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\WamWebAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTimeStamp
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTag
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthClientIdUpperCase
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\AuthenticationURLs
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneDriveDeviceId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastShutdownReason
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ScopeIdToMountPointPathCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\DisablePersonalSync
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AllowPotentiallyInsecureAutoNgenBehaviors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000604xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\ZoneMap\Ranges\
HKEY_CURRENT_USER\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ja-JP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ja-JP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_CURRENT_USER\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_CURRENT_USER\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_CURRENT_USER\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_CURRENT_USER\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CURRENT_USER\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_CURRENT_USER\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CURRENT_USER\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Magneto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2527171340-3306644326-1278290521-1001\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|BL 216238068 DOCS.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2527171340-3306644326-1278290521-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\MpEngine
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\MpEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_CURRENT_USER\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowFullDomainLiterals
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowFullDomainLiterals
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.FinishProxyTunnelConnectionEarly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\FinishProxyTunnelConnectionEarly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowNewLineInFtpCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowNewLineInFtpCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_CURRENT_USER\Software\Classes\AppID\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\Software\Classes\WinMgmts
HKEY_CURRENT_USER\Software\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TypeLibIndex
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Microsoft\OneDrive
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\FileCoAuthTelemetryRampStatus
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905E63B6-C1BF-494E-B29C-65B732D3D21A}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive
HKEY_LOCAL_MACHINE\Software\Microsoft\OneDrive
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OneDrive\CurrentVersionPath
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\AppID\FileCoAuth.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\FileCoAuth.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TreatAs
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\MainAccount
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserFolder
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\cid
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserEmail
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Business
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\SharePointOnPrem
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRun
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EdpManaged
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\RootAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\TenantAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\HasMadeFirstUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\IsUpgradeAvailable
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\CrashDetectionKey
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ForceLogUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EnableADALForSilentBusinessConfig
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastKnownCloudFilesEnabled
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRunSignInOrigin
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ExpressSignInCompletedState
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LatestSignInStack
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\WamWebAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTimeStamp
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTag
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthClientIdUpperCase
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\AuthenticationURLs
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneDriveDeviceId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastShutdownReason
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ScopeIdToMountPointPathCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\DisablePersonalSync
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AllowPotentiallyInsecureAutoNgenBehaviors
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000604xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ja-JP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ja-JP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowFullDomainLiterals
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\FinishProxyTunnelConnectionEarly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowNewLineInFtpCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\FileCoAuthTelemetryRampStatus
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OneDrive\CurrentVersionPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\MainAccount
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserFolder
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\cid
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserEmail
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Business
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\SharePointOnPrem
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRun
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EdpManaged
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\RootAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\TenantAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\HasMadeFirstUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\IsUpgradeAvailable
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\CrashDetectionKey
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ForceLogUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EnableADALForSilentBusinessConfig
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastKnownCloudFilesEnabled
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRunSignInOrigin
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ExpressSignInCompletedState
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LatestSignInStack
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\WamWebAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTimeStamp
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTag
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthClientIdUpperCase
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneDriveDeviceId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastShutdownReason
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\DisablePersonalSync
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AllowPotentiallyInsecureAutoNgenBehaviors
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000604xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\BL 216238068 DOCS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ca-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cs-CZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\da-DK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\de-DE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\el-GR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES_tradnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fi-FI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-FR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\hu-HU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nl-NL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nb-NO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pl-PL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-BR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sk-SK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sv-SE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\tr-TR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sl-SI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\eu-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-MX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-PT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-CA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\vi-VN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ko-KR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-TW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-HK
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ja-JP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ja-JP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70ce53cd-0000-0000-0000-500600000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowFullDomainLiterals
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\FinishProxyTunnelConnectionEarly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowNewLineInFtpCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\FileCoAuthTelemetryRampStatus
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DeferPrecreateAndRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName_36354489
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DPLProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OneDrive\CurrentVersionPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\MainAccount
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserFolder
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\cid
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\UserEmail
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Business
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\SharePointOnPrem
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRun
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EdpManaged
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\RootAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\TenantAddedToFavorites
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\HasMadeFirstUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\IsUpgradeAvailable
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\CrashDetectionKey
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ForceLogUpload
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\EnableADALForSilentBusinessConfig
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastKnownCloudFilesEnabled
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\FirstRunSignInOrigin
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ExpressSignInCompletedState
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LatestSignInStack
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\WamWebAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTimeStamp
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthUnrecoverableFailureTag
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneAuthClientIdUpperCase
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\OneDriveDeviceId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\LastShutdownReason
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\DisablePersonalSync
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFinHcUy" /XML "C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp"
schtasks.exe /Create /TN "Updates\WFinHcUy" /XML "C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp"
"{path}"
"C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe" -Embedding
"C:\Windows\system32\sc.exe" start pushtoinstall registration
schtasks.exe /Create /TN "Updates\WFinHcUy" /XML "C:\Users\user\AppData\Local\Temp\tmpDA7F.tmp"
"{path}"
"C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\FileCoAuth.exe" -Embedding
"C:\Windows\system32\sc.exe" start pushtoinstall registration
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\SM0:6568:168:WilStaging_02
Local\SM0:6320:168:WilStaging_02
Local\SM0:1940:168:WilStaging_02
Local\SM0:580:168:WilStaging_02
Local\ZonesLockedCacheCounterMutex
Local\SM0:6568:168:WilStaging_02
Local\SM0:6320:168:WilStaging_02
Local\SM0:1940:168:WilStaging_02
Local\SM0:580:168:WilStaging_02
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.