Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-11-19 23:43:57	2025-11-19 23:47:42	225 seconds	Show Options	Show Analysis Log

interactive=1
nohuman=yes

2025-11-20 02:01:41,562 [root] INFO: Date set to: 20251119T23:41:11, timeout set to: 200
2025-11-19 23:41:11,008 [root] DEBUG: Starting analyzer from: C:\2oozvway
2025-11-19 23:41:11,009 [root] DEBUG: Storing results at: C:\xVgYcbaMe
2025-11-19 23:41:11,009 [root] DEBUG: Pipe server name: \\.\PIPE\atJNpNkCXZ
2025-11-19 23:41:11,009 [root] DEBUG: Python path: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32
2025-11-19 23:41:11,010 [root] INFO: analysis running as an admin
2025-11-19 23:41:11,010 [root] INFO: analysis package specified: "exe"
2025-11-19 23:41:11,010 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-11-19 23:41:11,017 [root] DEBUG: imported analysis package "exe"
2025-11-19 23:41:11,018 [root] DEBUG: initializing analysis package "exe"...
2025-11-19 23:41:11,018 [lib.common.common] INFO: wrapping
2025-11-19 23:41:11,018 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-19 23:41:11,019 [root] DEBUG: New location of moved file: C:\Temp\PoliceAssist.exe
2025-11-19 23:41:11,019 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-11-19 23:41:11,020 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-11-19 23:41:11,020 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-11-19 23:41:11,020 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-11-19 23:41:11,041 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-11-19 23:41:11,051 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-11-19 23:41:11,073 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-11-19 23:41:11,101 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-11-19 23:41:11,108 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-11-19 23:41:11,176 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-11-19 23:41:11,179 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-11-19 23:41:11,202 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2025-11-19 23:41:11,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-11-19 23:41:11,207 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-11-19 23:41:11,208 [root] DEBUG: Initialized auxiliary module "Browser"
2025-11-19 23:41:11,208 [root] DEBUG: attempting to configure 'Browser' from data
2025-11-19 23:41:11,210 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-11-19 23:41:11,211 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-11-19 23:41:11,212 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-11-19 23:41:11,212 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-11-19 23:41:11,213 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-11-19 23:41:11,213 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-11-19 23:41:11,214 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-11-19 23:41:11,214 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-11-19 23:41:11,524 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-11-19 23:41:11,525 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-11-19 23:41:11,526 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-11-19 23:41:11,526 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-11-19 23:41:11,526 [root] DEBUG: attempting to configure 'Disguise' from data
2025-11-19 23:41:11,527 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-11-19 23:41:11,527 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-11-19 23:41:11,528 [modules.auxiliary.disguise] INFO: Disguising GUID to 4c1605f1-0d83-4df8-9125-33039ac196e8
2025-11-19 23:41:11,528 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-11-19 23:41:11,529 [root] DEBUG: Initialized auxiliary module "Human"
2025-11-19 23:41:11,529 [root] DEBUG: attempting to configure 'Human' from data
2025-11-19 23:41:11,529 [root] DEBUG: module Human does not support data configuration, ignoring
2025-11-19 23:41:11,530 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-11-19 23:41:11,532 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-11-19 23:41:11,532 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-11-19 23:41:11,532 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-11-19 23:41:11,533 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-11-19 23:41:11,533 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-11-19 23:41:11,534 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-11-19 23:41:11,534 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-11-19 23:41:11,534 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-11-19 23:41:11,535 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-11-19 23:41:11,535 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-11-19 23:41:11,537 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608
2025-11-19 23:41:11,834 [lib.api.process] INFO: Monitor config for <Process 608 lsass.exe>: C:\2oozvway\dll\608.ini
2025-11-19 23:41:11,836 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:11,837 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-11-19 23:41:11,845 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:11,880 [root] DEBUG: Loader: Injecting process 608 with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:11,902 [root] DEBUG: 608: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:41:11,903 [root] DEBUG: 608: Disabling sleep skipping.
2025-11-19 23:41:11,905 [root] DEBUG: 608: Interactive desktop enabled.
2025-11-19 23:41:11,906 [root] DEBUG: 608: TLS secret dump mode enabled.
2025-11-19 23:41:11,944 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:41:11,945 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEC4670000, thread 1880, image base 0x00007FF60EE30000, stack from 0x000000A5F48F2000-0x000000A5F4900000
2025-11-19 23:41:11,945 [root] DEBUG: 608: Commandline: C:\Windows\system32\lsass.exe
2025-11-19 23:41:11,956 [root] DEBUG: 608: Hooked 5 out of 5 functions
2025-11-19 23:41:11,958 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-19 23:41:11,959 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:11,967 [lib.api.process] INFO: Injected into 64-bit <Process 608 lsass.exe>
2025-11-19 23:41:11,968 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-11-19 23:41:11,968 [root] INFO: Interactive mode enabled - injecting into explorer shell
2025-11-19 23:41:11,969 [lib.api.process] INFO: Monitor config for <Process 2552 explorer.exe>: C:\2oozvway\dll\2552.ini
2025-11-19 23:41:11,973 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:11,976 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:11,990 [root] DEBUG: Loader: Injecting process 2552 with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:11,996 [root] DEBUG: 2552: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:41:11,998 [root] DEBUG: 2552: Disabling sleep skipping.
2025-11-19 23:41:11,999 [root] DEBUG: 2552: Interactive desktop enabled.
2025-11-19 23:41:11,999 [root] DEBUG: 2552: Dropped file limit defaulting to 100.
2025-11-19 23:41:12,001 [root] DEBUG: 2552: Interactive desktop - injecting Explorer Shell
2025-11-19 23:41:12,018 [root] DEBUG: 2552: YaraInit: Compiled 43 rule files
2025-11-19 23:41:12,021 [root] DEBUG: 2552: YaraInit: Compiled rules saved to file C:\2oozvway\data\yara\capemon.yac
2025-11-19 23:41:12,053 [root] DEBUG: 2552: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:41:12,054 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316
2025-11-19 23:41:12,184 [root] DEBUG: 2552: Monitor initialised: 64-bit capemon loaded in process 2552 at 0x00007FFEC4670000, thread 1376, image base 0x00007FF735FF0000, stack from 0x0000000007C32000-0x0000000007C40000
2025-11-19 23:41:12,185 [root] DEBUG: 2552: Commandline: C:\Windows\Explorer.EXE
2025-11-19 23:41:12,203 [root] DEBUG: 2552: Hooked 69 out of 69 functions
2025-11-19 23:41:12,273 [root] DEBUG: 2552: Syscall hook installed, syscall logging level 1
2025-11-19 23:41:12,285 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-19 23:41:12,286 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:12,290 [lib.api.process] INFO: Injected into 64-bit <Process 2552 explorer.exe>
2025-11-19 23:41:17,341 [root] INFO: Restarting WMI Service
2025-11-19 23:41:19,447 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-11-19 23:41:19,448 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-11-19 23:41:19,449 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-19 23:41:19,461 [lib.api.process] INFO: Successfully executed process from path "C:\Temp\PoliceAssist.exe" with arguments "" with pid 1324
2025-11-19 23:41:19,462 [lib.api.process] INFO: Monitor config for <Process 1324 PoliceAssist.exe>: C:\2oozvway\dll\1324.ini
2025-11-19 23:41:19,463 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:19,466 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:19,476 [root] DEBUG: Loader: Injecting process 1324 (thread 1884) with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:19,477 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-19 23:41:19,478 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:19,480 [lib.api.process] INFO: Injected into 64-bit <Process 1324 PoliceAssist.exe>
2025-11-19 23:41:21,494 [lib.api.process] INFO: Successfully resumed <Process 1324 PoliceAssist.exe>
2025-11-19 23:41:21,510 [root] DEBUG: 1324: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:41:21,511 [root] DEBUG: 1324: Disabling sleep skipping.
2025-11-19 23:41:21,513 [root] DEBUG: 1324: Interactive desktop enabled.
2025-11-19 23:41:21,515 [root] DEBUG: 1324: Dropped file limit defaulting to 100.
2025-11-19 23:41:21,520 [root] DEBUG: 1324: YaraInit: Compiled rules loaded from existing file C:\2oozvway\data\yara\capemon.yac
2025-11-19 23:41:21,548 [root] DEBUG: 1324: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:41:21,550 [root] DEBUG: 1324: YaraScan: Scanning 0x0000000140000000, size 0x126a57
2025-11-19 23:41:21,568 [root] DEBUG: 1324: Monitor initialised: 64-bit capemon loaded in process 1324 at 0x00007FFEC4670000, thread 1884, image base 0x0000000140000000, stack from 0x00000000007F5000-0x0000000000800000
2025-11-19 23:41:21,569 [root] DEBUG: 1324: Commandline: "C:\Temp\PoliceAssist.exe"
2025-11-19 23:41:21,580 [root] DEBUG: 1324: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-19 23:41:21,636 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-19 23:41:21,637 [root] DEBUG: 1324: set_hooks: Unable to hook LockResource
2025-11-19 23:41:21,650 [root] DEBUG: 1324: Hooked 619 out of 620 functions
2025-11-19 23:41:21,671 [root] DEBUG: 1324: Syscall hook installed, syscall logging level 1
2025-11-19 23:41:21,680 [root] DEBUG: 1324: RestoreHeaders: Restored original import table.
2025-11-19 23:41:21,683 [root] INFO: Loaded monitor into process with pid 1324
2025-11-19 23:41:21,702 [root] DEBUG: 1324: caller_dispatch: Added region at 0x0000000140000000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00000001400D415D, thread 1884).
2025-11-19 23:41:21,703 [root] DEBUG: 1324: YaraScan: Scanning 0x0000000140000000, size 0x126a57
2025-11-19 23:41:21,725 [root] DEBUG: 1324: ProcessImageBase: Main module image at 0x0000000140000000 unmodified (entropy change 0.000000e+00)
2025-11-19 23:41:21,733 [root] DEBUG: 1324: set_hooks_by_export_directory: Hooked 0 out of 620 functions
2025-11-19 23:41:21,733 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDEA70000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2025-11-19 23:41:21,736 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE1390000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2025-11-19 23:41:21,740 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-19 23:41:21,755 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes).
2025-11-19 23:41:21,796 [root] DEBUG: 1324: DLL loaded at 0x00007FFED6980000: C:\Windows\SYSTEM32\TextShaping (0xac000 bytes).
2025-11-19 23:41:21,849 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0500000: C:\Windows\SYSTEM32\Wldp (0x2d000 bytes).
2025-11-19 23:41:21,850 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDEC70000: C:\Windows\SYSTEM32\windows.storage (0x79b000 bytes).
2025-11-19 23:41:21,852 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316
2025-11-19 23:41:21,855 [root] DEBUG: 2552: caller_dispatch: Added region at 0x00007FF735FF0000 to tracked regions list (combase::CoCreateInstance returns to 0x00007FF736098FBA, thread 2824).
2025-11-19 23:41:21,856 [root] DEBUG: 2552: YaraScan: Scanning 0x00007FF735FF0000, size 0x545316
2025-11-19 23:41:21,931 [root] DEBUG: 2552: ProcessImageBase: Main module image at 0x00007FF735FF0000 unmodified (entropy change 0.000000e+00)
2025-11-19 23:41:21,935 [root] DEBUG: 2552: ProcessImageBase: Main module image at 0x00007FF735FF0000 unmodified (entropy change 0.000000e+00)
2025-11-19 23:41:22,020 [lib.api.process] INFO: Monitor config for <Process 740 svchost.exe>: C:\2oozvway\dll\740.ini
2025-11-19 23:41:22,022 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:22,024 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:22,039 [root] DEBUG: Loader: Injecting process 740 with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:22,043 [root] DEBUG: 740: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:41:22,044 [root] DEBUG: 740: Disabling sleep skipping.
2025-11-19 23:41:22,045 [root] DEBUG: 740: Interactive desktop enabled.
2025-11-19 23:41:22,046 [root] DEBUG: 740: Dropped file limit defaulting to 100.
2025-11-19 23:41:22,049 [root] DEBUG: 740: Services hook set enabled
2025-11-19 23:41:22,053 [root] DEBUG: 740: YaraInit: Compiled rules loaded from existing file C:\2oozvway\data\yara\capemon.yac
2025-11-19 23:41:22,080 [root] DEBUG: 740: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:41:22,081 [root] DEBUG: 740: Monitor initialised: 64-bit capemon loaded in process 740 at 0x00007FFEC4670000, thread 2848, image base 0x00007FF630560000, stack from 0x000000A00AB75000-0x000000A00AB80000
2025-11-19 23:41:22,082 [root] DEBUG: 740: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p
2025-11-19 23:41:22,098 [root] DEBUG: 740: Hooked 69 out of 69 functions
2025-11-19 23:41:22,100 [root] INFO: Loaded monitor into process with pid 740
2025-11-19 23:41:22,101 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-19 23:41:22,102 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:22,105 [lib.api.process] INFO: Injected into 64-bit <Process 740 svchost.exe>
2025-11-19 23:41:25,158 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE2C20000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2025-11-19 23:41:25,168 [root] DEBUG: 1324: DLL loaded at 0x00007FFED95E0000: C:\Windows\SYSTEM32\wbemcomn (0x90000 bytes).
2025-11-19 23:41:25,169 [root] DEBUG: 1324: DLL loaded at 0x00007FFED9590000: C:\Windows\system32\wbem\wbemdisp (0x4e000 bytes).
2025-11-19 23:41:25,186 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDC220000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2025-11-19 23:41:25,195 [root] DEBUG: 1324: DLL loaded at 0x00007FFED9560000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2025-11-19 23:41:25,247 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDB270000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2025-11-19 23:41:25,343 [root] DEBUG: 1324: hook_api: WMI_ExecQuery export address 0x00007FFED3FCD630 obtained via GetFunctionAddress
2025-11-19 23:41:25,365 [root] DEBUG: 1324: hook_api: WMI_ExecMethod export address 0x00007FFED40630C0 obtained via GetFunctionAddress
2025-11-19 23:41:25,446 [root] DEBUG: 1324: DLL loaded at 0x00007FFED3FC0000: C:\Windows\system32\wbem\fastprox (0x10b000 bytes).
2025-11-19 23:41:25,449 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDE1C0000: C:\Windows\SYSTEM32\amsi (0x1f000 bytes).
2025-11-19 23:41:25,464 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE08C0000: C:\Windows\SYSTEM32\sxs (0xa2000 bytes).
2025-11-19 23:41:25,535 [root] DEBUG: 740: CreateProcessHandler: Injection info set for new process 4036: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF7CCD30000
2025-11-19 23:41:25,536 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 4036
2025-11-19 23:41:25,536 [lib.api.process] INFO: Monitor config for <Process 4036 WmiPrvSE.exe>: C:\2oozvway\dll\4036.ini
2025-11-19 23:41:25,538 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:26,523 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:26,535 [root] DEBUG: Loader: Injecting process 4036 (thread 1460) with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:26,536 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-19 23:41:26,537 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:26,540 [lib.api.process] INFO: Injected into 64-bit <Process 4036 WmiPrvSE.exe>
2025-11-19 23:41:26,542 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 4036
2025-11-19 23:41:26,542 [lib.api.process] INFO: Monitor config for <Process 4036 WmiPrvSE.exe>: C:\2oozvway\dll\4036.ini
2025-11-19 23:41:26,543 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:27,104 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:27,114 [root] DEBUG: Loader: Injecting process 4036 (thread 1460) with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:27,115 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-19 23:41:27,116 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:27,119 [lib.api.process] INFO: Injected into 64-bit <Process 4036 WmiPrvSE.exe>
2025-11-19 23:41:27,132 [root] DEBUG: 4036: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:41:27,132 [root] DEBUG: 4036: Interactive desktop enabled.
2025-11-19 23:41:27,133 [root] DEBUG: 4036: Dropped file limit defaulting to 100.
2025-11-19 23:41:27,136 [root] DEBUG: 4036: Disabling sleep skipping.
2025-11-19 23:41:27,137 [root] DEBUG: 4036: Services hook set enabled
2025-11-19 23:41:27,141 [root] DEBUG: 4036: YaraInit: Compiled rules loaded from existing file C:\2oozvway\data\yara\capemon.yac
2025-11-19 23:41:27,165 [root] DEBUG: 4036: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:41:27,166 [root] DEBUG: 4036: Monitor initialised: 64-bit capemon loaded in process 4036 at 0x00007FFEC4670000, thread 1460, image base 0x00007FF7CCD30000, stack from 0x0000008CAF580000-0x0000008CAF590000
2025-11-19 23:41:27,167 [root] DEBUG: 4036: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2025-11-19 23:41:27,180 [root] DEBUG: 4036: Hooked 69 out of 69 functions
2025-11-19 23:41:27,187 [root] DEBUG: 4036: RestoreHeaders: Restored original import table.
2025-11-19 23:41:27,188 [root] INFO: Loaded monitor into process with pid 4036
2025-11-19 23:41:27,199 [root] DEBUG: 4036: set_hooks_by_export_directory: Hooked 0 out of 69 functions
2025-11-19 23:41:27,200 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDEA70000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2025-11-19 23:41:27,201 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE1390000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2025-11-19 23:41:27,204 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE2C20000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2025-11-19 23:41:27,208 [lib.api.process] INFO: Monitor config for <Process 1756 svchost.exe>: C:\2oozvway\dll\1756.ini
2025-11-19 23:41:27,210 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor
2025-11-19 23:41:27,212 [lib.api.process] INFO: 64-bit DLL to inject is C:\2oozvway\dll\FvrgALd.dll, loader C:\2oozvway\bin\alZEzoOD.exe
2025-11-19 23:41:27,222 [root] DEBUG: Loader: Injecting process 1756 with C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:27,229 [root] DEBUG: 1756: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:41:27,230 [root] DEBUG: 1756: Disabling sleep skipping.
2025-11-19 23:41:27,230 [root] DEBUG: 1756: Interactive desktop enabled.
2025-11-19 23:41:27,231 [root] DEBUG: 1756: Dropped file limit defaulting to 100.
2025-11-19 23:41:27,232 [root] DEBUG: 1756: Services hook set enabled
2025-11-19 23:41:27,236 [root] DEBUG: 1756: YaraInit: Compiled rules loaded from existing file C:\2oozvway\data\yara\capemon.yac
2025-11-19 23:41:27,259 [root] DEBUG: 1756: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:41:27,260 [root] DEBUG: 1756: Monitor initialised: 64-bit capemon loaded in process 1756 at 0x00007FFEC4670000, thread 1400, image base 0x00007FF630560000, stack from 0x000000D46CEF5000-0x000000D46CF00000
2025-11-19 23:41:27,261 [root] DEBUG: 1756: Commandline: C:\Windows\system32\svchost.exe -k netsvcs -p
2025-11-19 23:41:27,274 [root] DEBUG: 1756: Hooked 69 out of 69 functions
2025-11-19 23:41:27,276 [root] INFO: Loaded monitor into process with pid 1756
2025-11-19 23:41:27,277 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-19 23:41:27,278 [root] DEBUG: Successfully injected DLL C:\2oozvway\dll\FvrgALd.dll.
2025-11-19 23:41:27,280 [lib.api.process] INFO: Injected into 64-bit <Process 1756 svchost.exe>
2025-11-19 23:41:29,297 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC220000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2025-11-19 23:41:29,304 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDB270000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2025-11-19 23:41:29,324 [root] DEBUG: 4036: DLL loaded at 0x00007FFED9560000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2025-11-19 23:41:29,337 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE09F0000: C:\Windows\SYSTEM32\powrprof (0x4b000 bytes).
2025-11-19 23:41:29,338 [root] DEBUG: 4036: DLL loaded at 0x00007FFECA3F0000: C:\Windows\SYSTEM32\framedynos (0x52000 bytes).
2025-11-19 23:41:29,339 [root] DEBUG: 4036: DLL loaded at 0x00007FFECA0F0000: C:\Windows\system32\wbem\cimwin32 (0x20c000 bytes).
2025-11-19 23:41:29,341 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE09D0000: C:\Windows\SYSTEM32\UMPDC (0x12000 bytes).
2025-11-19 23:41:29,359 [root] DEBUG: 4036: DLL loaded at 0x00007FFECBDA0000: C:\Windows\SYSTEM32\winbrand (0x35000 bytes).
2025-11-19 23:41:29,364 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\Windows\SYSTEM32\wldp (0x2d000 bytes).
2025-11-19 23:41:29,369 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\Windows\SYSTEM32\wldp (0x2d000 bytes).
2025-11-19 23:41:29,374 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\Windows\SYSTEM32\wldp (0x2d000 bytes).
2025-11-19 23:41:29,379 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0500000: C:\Windows\SYSTEM32\wldp (0x2d000 bytes).
2025-11-19 23:41:29,380 [root] DEBUG: 4036: DLL loaded at 0x0000025E61D60000: C:\Windows\SYSTEM32\SECURITY (0x3000 bytes).
2025-11-19 23:41:29,382 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC850000: C:\Windows\SYSTEM32\SECUR32 (0xc000 bytes).
2025-11-19 23:41:29,385 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDFAA0000: C:\Windows\system32\schannel (0x97000 bytes).
2025-11-19 23:41:29,430 [root] DEBUG: 4036: DLL loaded at 0x00007FFED6960000: C:\Windows\SYSTEM32\NETAPI32 (0x19000 bytes).
2025-11-19 23:41:29,432 [root] DEBUG: 4036: DLL loaded at 0x00007FFED5050000: C:\Windows\SYSTEM32\SAMCLI (0x19000 bytes).
2025-11-19 23:41:29,435 [root] DEBUG: 4036: DLL loaded at 0x00007FFED6E00000: C:\Windows\SYSTEM32\SRVCLI (0x28000 bytes).
2025-11-19 23:41:29,437 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0060000: C:\Windows\SYSTEM32\NETUTILS (0xc000 bytes).
2025-11-19 23:41:29,439 [root] DEBUG: 4036: DLL loaded at 0x00007FFEE0070000: C:\Windows\SYSTEM32\LOGONCLI (0x43000 bytes).
2025-11-19 23:41:29,441 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC210000: C:\Windows\SYSTEM32\SCHEDCLI (0xc000 bytes).
2025-11-19 23:41:29,443 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDFCF0000: C:\Windows\SYSTEM32\WKSCLI (0x19000 bytes).
2025-11-19 23:41:29,445 [root] DEBUG: 4036: DLL loaded at 0x00007FFEDC560000: C:\Windows\SYSTEM32\DSROLE (0xa000 bytes).
2025-11-19 23:41:29,449 [root] DEBUG: 4036: DLL loaded at 0x00007FFECE280000: C:\Windows\SYSTEM32\cscapi (0x12000 bytes).
2025-11-19 23:41:29,521 [root] DEBUG: 1324: CAPEExceptionFilter: Exception 0xc0000005 accessing 0x0 caught at RVA 0xf0418 in capemon (expected in memory scans), passing to next handler.
2025-11-19 23:41:29,534 [root] DEBUG: 1324: DLL loaded at 0x00007FFED5F30000: C:\Windows\system32\winhttpcom (0x1e000 bytes).
2025-11-19 23:41:29,544 [root] DEBUG: 1324: DLL loaded at 0x00007FFED8A20000: C:\Windows\system32\WINHTTP (0x10a000 bytes).
2025-11-19 23:41:29,556 [root] DEBUG: 1324: DLL loaded at 0x00007FFECB2E0000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2025-11-19 23:41:29,560 [root] DEBUG: 1324: DLL loaded at 0x00007FFEC7790000: C:\Windows\system32\webio (0x98000 bytes).
2025-11-19 23:41:29,564 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0260000: C:\Windows\system32\mswsock (0x6a000 bytes).
2025-11-19 23:41:29,568 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFF50000: C:\Windows\system32\IPHLPAPI (0x3b000 bytes).
2025-11-19 23:41:29,570 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE2110000: C:\Windows\System32\NSI (0x8000 bytes).
2025-11-19 23:41:29,571 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDAE00000: C:\Windows\SYSTEM32\WINNSI (0xb000 bytes).
2025-11-19 23:41:29,588 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFF90000: C:\Windows\SYSTEM32\DNSAPI (0xca000 bytes).
2025-11-19 23:41:29,594 [root] DEBUG: 1324: DLL loaded at 0x00007FFED87C0000: C:\Windows\System32\rasadhlp (0xa000 bytes).
2025-11-19 23:41:29,609 [root] DEBUG: 1324: DLL loaded at 0x00007FFED8CB0000: C:\Windows\System32\fwpuclnt (0x80000 bytes).
2025-11-19 23:41:29,666 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFAA0000: C:\Windows\system32\schannel (0x97000 bytes).
2025-11-19 23:41:29,751 [root] DEBUG: 608: TLS 1.2 secrets logged to: C:\xVgYcbaMe\tlsdump\tlsdump.log
2025-11-19 23:41:29,790 [root] DEBUG: 1324: DLL loaded at 0x00007FFECB060000: C:\Windows\SYSTEM32\mskeyprotect (0x15000 bytes).
2025-11-19 23:41:29,791 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0530000: C:\Windows\SYSTEM32\NTASN1 (0x3b000 bytes).
2025-11-19 23:41:29,799 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0570000: C:\Windows\SYSTEM32\ncrypt (0x27000 bytes).
2025-11-19 23:41:29,802 [root] DEBUG: 1324: DLL loaded at 0x00007FFECB1A0000: C:\Windows\system32\ncryptsslp (0x26000 bytes).
2025-11-19 23:41:29,808 [root] DEBUG: 1324: DLL loaded at 0x00007FFEE0690000: C:\Windows\SYSTEM32\MSASN1 (0x12000 bytes).
2025-11-19 23:41:29,910 [root] DEBUG: 1324: DLL loaded at 0x00007FFEC5430000: C:\Windows\system32\mlang (0x42000 bytes).
2025-11-19 23:41:29,959 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDFCB0000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2025-11-19 23:41:29,960 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDE0B0000: C:\Windows\System32\CoreMessaging (0xf2000 bytes).
2025-11-19 23:41:29,961 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDC8A0000: C:\Windows\SYSTEM32\wintypes (0x155000 bytes).
2025-11-19 23:41:29,962 [root] DEBUG: 1324: DLL loaded at 0x00007FFEDDD50000: C:\Windows\System32\CoreUIComponents (0x35b000 bytes).
2025-11-19 23:41:29,963 [root] DEBUG: 1324: DLL loaded at 0x00007FFED8F50000: C:\Windows\SYSTEM32\textinputframework (0xf9000 bytes).
2025-11-19 23:43:31,266 [root] DEBUG: 2552: set_hooks_by_export_directory: Hooked 0 out of 69 functions
2025-11-19 23:43:31,268 [root] DEBUG: 2552: DLL loaded at 0x00007FFECE180000: C:\Windows\System32\Windows.CloudStore.Schema.Shell (0xf4000 bytes).
2025-11-19 23:43:31,290 [root] DEBUG: 2552: DLL loaded at 0x00007FFEDB0E0000: C:\Windows\System32\usermgrproxy (0x54000 bytes).
2025-11-19 23:44:41,586 [root] INFO: Analysis timeout hit, terminating analysis
2025-11-19 23:44:41,587 [lib.api.process] INFO: Terminate event set for <Process 1324 PoliceAssist.exe>
2025-11-19 23:44:41,588 [root] DEBUG: 1324: Terminate Event: Attempting to dump process 1324
2025-11-19 23:44:41,591 [root] DEBUG: 1324: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-19 23:44:41,605 [lib.api.process] INFO: Termination confirmed for <Process 1324 PoliceAssist.exe>
2025-11-19 23:44:41,606 [root] DEBUG: 1324: Terminate Event: monitor shutdown complete for process 1324
2025-11-19 23:44:41,607 [root] INFO: Terminate event set for process 1324
2025-11-19 23:44:41,608 [lib.api.process] INFO: Terminate event set for <Process 740 svchost.exe>
2025-11-19 23:44:41,609 [root] DEBUG: 740: Terminate Event: Attempting to dump process 740
2025-11-19 23:44:41,610 [root] DEBUG: 740: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-19 23:44:41,615 [lib.api.process] INFO: Termination confirmed for <Process 740 svchost.exe>
2025-11-19 23:44:41,616 [root] INFO: Terminate event set for process 740
2025-11-19 23:44:41,616 [root] DEBUG: 740: Terminate Event: monitor shutdown complete for process 740
2025-11-19 23:44:41,616 [lib.api.process] INFO: Terminate event set for <Process 4036 WmiPrvSE.exe>
2025-11-19 23:44:41,618 [root] DEBUG: 4036: Terminate Event: Attempting to dump process 4036
2025-11-19 23:44:41,619 [root] DEBUG: 4036: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-19 23:44:41,623 [root] DEBUG: 4036: Terminate Event: Shutdown complete for process 4036 but failed to inform analyzer.
2025-11-19 23:44:46,618 [lib.api.process] INFO: Termination confirmed for <Process 4036 WmiPrvSE.exe>
2025-11-19 23:44:46,619 [root] INFO: Terminate event set for process 4036
2025-11-19 23:44:46,620 [lib.api.process] INFO: Terminate event set for <Process 1756 svchost.exe>
2025-11-19 23:44:46,622 [root] DEBUG: 1756: Terminate Event: Attempting to dump process 1756
2025-11-19 23:44:46,623 [root] DEBUG: 1756: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-19 23:44:46,627 [lib.api.process] INFO: Termination confirmed for <Process 1756 svchost.exe>
2025-11-19 23:44:46,627 [root] INFO: Terminate event set for process 1756
2025-11-19 23:44:46,628 [root] DEBUG: 1756: Terminate Event: monitor shutdown complete for process 1756
2025-11-19 23:44:46,628 [root] INFO: Created shutdown mutex
2025-11-19 23:44:47,640 [root] INFO: Shutting down package
2025-11-19 23:44:47,641 [root] INFO: Stopping auxiliary modules
2025-11-19 23:44:47,641 [root] INFO: Stopping auxiliary module: Browser
2025-11-19 23:44:47,642 [root] INFO: Stopping auxiliary module: Human
2025-11-19 23:44:47,642 [root] INFO: Stopping auxiliary module: Screenshots
2025-11-19 23:44:47,857 [root] INFO: Finishing auxiliary modules
2025-11-19 23:44:47,857 [root] INFO: Shutting down pipe server and dumping dropped files
2025-11-19 23:44:47,858 [root] WARNING: Folder at path "C:\xVgYcbaMe\debugger" does not exist, skipping
2025-11-19 23:44:47,858 [root] INFO: Uploading files at path "C:\xVgYcbaMe\tlsdump"
2025-11-19 23:44:47,859 [lib.common.results] INFO: Uploading file C:\xVgYcbaMe\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 274; Max size: 100000000
2025-11-19 23:44:47,877 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
MalwareGuest	MalwareGuest	Proxmox	2025-11-19 23:43:57	2025-11-19 23:47:40	internet

Reports: JSON

Statistics (3.42)

Processing ( 1.62 seconds )

0.987 BehaviorAnalysis
0.41 NetworkAnalysis
0.211 AnalysisInfo
0.008 script_log_processing
0.005 Debug
0.004 ProcessMemory

Signatures ( 1.76 seconds )

0.599 antiav_detectreg
0.184 infostealer_ftp
0.167 territorial_disputes_sigs
0.134 antianalysis_detectreg
0.1 infostealer_im
0.062 antivm_vbox_keys
0.036 antivm_vmware_keys
0.026 antivm_xen_keys
0.024 antiav_detectfile
0.024 ransomware_files
0.023 infostealer_mail
0.022 antivm_parallels_keys
0.019 antivm_vpc_keys
0.017 geodo_banking_trojan
0.014 masquerade_process_name
0.013 antivm_generic_diskreg
0.013 ransomware_extensions
0.012 antianalysis_detectfile
0.012 suspicious_tld
0.011 bypass_firewall
0.009 poullight_files
0.008 antivm_hyperv_keys
0.008 infostealer_bitcoin
0.007 network_dyndns
0.007 antivm_vmware_files
0.006 antivm_vbox_files
0.006 ketrican_regkeys
0.006 darkcomet_regkeys
0.006 limerat_regkeys
0.006 recon_fingerprint
0.006 remcos_regkeys
0.005 bot_drive
0.005 network_torgateway
0.005 antivm_bochs_keys
0.005 browser_security
0.005 file_credential_store_access
0.005 disables_power_options
0.005 qulab_files
0.005 network_dns_temp_file_storage
0.005 packer_armadillo_regkey
0.005 rat_pcclient
0.005 venomrat_mutexes
0.005 uses_windows_utilities
0.004 banker_zeus_p2p
0.004 bot_drive2
0.004 packer_aspirecrypt
0.004 antiemu_windefend
0.004 antisandbox_sunbelt_files
0.004 antivm_generic_bios
0.004 antivm_vpc_files
0.004 disables_context_menus
0.004 cryptbot_files
0.004 network_dns_blockchain
0.004 network_dns_doh_tls
0.004 cryptomix_mutexes
0.004 satan_mutexes
0.004 modirat_behavior
0.004 xpertrat_mutexes
0.004 removes_pinned_programs
0.004 sniffer_winpcap
0.004 targeted_flame
0.004 owa_web_shell_files
0.004 suspicious_command_tools
0.003 bot_athenahttp
0.003 accesses_sysvol
0.003 echelon_files
0.003 modify_hostfile
0.003 crat_mutexes
0.001 accesses_netlogon_regkey
0.001 antidebug_devices
0.001 antivm_vbox_devices
0.001 checks_uac_status
0.001 disables_backups
0.001 disables_browser_warn
0.001 azorult_mutexes
0.001 network_dns_opennic
0.001 network_dns_url_shortener
0.001 accesses_office_username
0.001 medusalocker_regkeys
0.001 revil_mutexes
0.001 warzonerat_regkeys
0.001 ursnif_behavior

Reporting ( 0.04 seconds )

0.043 JsonDump

Signatures

Attempts to connect to a dead IP:Port (1 unique times)

IP: 172.66.171.73:443 (unknown)

Queries the keyboard layout

Queries the computer locale (possible geofencing)

SetUnhandledExceptionFilter detected (possible anti-debug)

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU

Establishes an encrypted HTTPS connection

http_request: GET /raw/04TKQkE1 HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com

Connection to a legitimate domain from an unexpected process

Suspicious communication with abused trusted site

DNS query to a paste site or service detected

domain: pastebin.com

Establishes an encrypted HTTPS connection to a paste site

http_request: GET /raw/04TKQkE1 HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com

Installs an hook procedure to monitor for mouse events

Sniffs keystrokes

SetWindowsHookExW: Process: PoliceAssist.exe(1324)

Screenshots

No screenshots available.

Session Playback

Seek in progress...

00:00 / 00:00

Hosts

Direct	IP	Country Name	ASN
N	172.66.171.73 [VT]	unknown

DNS

Name	Response	Post-Analysis Lookup
pastebin.com [VT]	A 172.66.171.73 [VT] A 104.20.29.150 [VT]	172.66.171.73 [VT]

Summary

\Device\Bam
C:\
C:\Temp
C:\Temp\PoliceAssist.exe
C:\Temp\policeassist.exe
C:\SystemResources\policeassist.exe.mun
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer
C:\Windows\WindowsShell.Manifest
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Windows\Fonts\staticcache.dat
C:\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\windows.storage.dll
C:\Temp\Wldp.dll
C:\Windows\System32\wldp.dll
C:\Windows\System32\sxs.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\C_1252.NLS
C:\Windows\System32\stdole2.tlb
C:\Windows\System32\winhttp.dll
C:\Windows\System32\ru-RU\mswsock.dll.mui
C:\Windows\System32\ru-RU\wshqos.dll.mui
C:\Temp\ncrypt.dll
C:\Windows\System32\ncrypt.dll
C:\Windows\System32\ci.dll
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\wuaueng.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\NgcRecovery.dll
C:\Windows\System32\ru-RU\CRYPT32.dll.mui
\??\PhysicalDrive0
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\System32\ru-RU\USER32.dll.mui
C:\Windows\System32\rpcss.dll
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\winbrand.dll
C:\Windows\Branding\Basebrd\basebrd.dll
C:\Windows\Branding\Basebrd\ru-RU\Basebrd.dll.mui
C:
C:\Windows\System32\secur32.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\ru-RU\tzres.dll.mui
C:\Windows\System32\samcli.dll
C:\Windows\System32\srvcli.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\logoncli.dll
C:\Windows\System32\schedcli.dll
C:\Windows\System32\wkscli.dll
C:\Windows\System32\dsrole.dll
\??\PIPE\wkssvc
\??\PIPE\srvsvc
C:\Windows\System32\wbem\ru-RU\cimwin32.dll.mui

\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\PIPE\wkssvc
\??\PIPE\srvsvc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PoliceAssist.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444B-8957-A3773F02200E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Classes\PackagedCom
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\419
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\19
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win64
HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win64\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\1252
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64\(Default)
HKEY_CURRENT_USER\Software\Classes\WinHttp.WinHttpRequest.5.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinHttp.WinHttpRequest.5.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinHttp.WinHttpRequest.5.1\CLSID\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}
HKEY_CURRENT_USER\Software\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartNameResolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PreferLocalOverLowerBindingDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryNetBTFQDN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartProtocolReordering
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UdpRecvBufferSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableParallelAandAAAA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableCoalescing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterVPNTrigger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMultiHomedRouteConflicts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ForceQueriesOverTcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShareTcpConnections
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableServerUnreachability
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMulticast
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\NewDhcpSrvRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessPreferLocal
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableIdnEncoding
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableIdnMapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShortnameProxyDefault
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableNRPTForAdapterRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutHistoryLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutRecalculationInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\System32\ci.dll,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\System32\ci.dll,-101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\system32\NgcRecovery.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\ECCParameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableSerialChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableAutoFlushProcessNameList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushFirstDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushNextDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\PinRulesLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\PinRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesEncodedCtl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{6D809377-6AF0-444b-8957-A3773F02200E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win64\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\1252
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinHttp.WinHttpRequest.5.1\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartNameResolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PreferLocalOverLowerBindingDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryNetBTFQDN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartProtocolReordering
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UdpRecvBufferSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableParallelAandAAAA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableCoalescing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterVPNTrigger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMultiHomedRouteConflicts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ForceQueriesOverTcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShareTcpConnections
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableServerUnreachability
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMulticast
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\NewDhcpSrvRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessPreferLocal
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableIdnEncoding
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableIdnMapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShortnameProxyDefault
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableNRPTForAdapterRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutHistoryLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutRecalculationInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\System32\ci.dll,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\System32\ci.dll,-101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\B1A07F78\@%SystemRoot%\system32\NgcRecovery.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableSerialChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableAutoFlushProcessNameList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushFirstDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushNextDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\108FBF794E18EC5347A414E4370CC4506C297AB2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\932BED339AA69212C89375B79304B475490B89A0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\PinRulesLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\PinRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesEncodedCtl

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Local\SM0:1324:304:WilStaging_02
AHK Keybd
AHK Mouse

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.