pupdate.exe is part of Internet Explorer and developed by Microsoft Corporation according to the pupdate.exe version information.
pupdate.exe's description is "Win32 Cabinet Self-Extractor "
pupdate.exe is digitally signed by TERSER TUDE LTD.
pupdate.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected pupdate.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
The following is the available information on pupdate.exe:
Property | Value |
---|---|
Product name | Internet Explorer |
Company name | Microsoft Corporation |
File description | Win32 Cabinet Self-Extractor |
Internal name | Wextract |
Original filename | WEXTRACT.EXE .MUI |
Legal copyright | © Microsoft Corporation. All rights reserved. |
Product version | 11.00.15063.0 |
File version | 11.00.15063.0 (WinBuild.160101.0800) |
Here's a screenshot of the file properties when displayed by Windows Explorer:
Product name | Internet Explorer |
Company name | Microsoft Corporation |
File description | Win32 Cabinet Self-Extractor .. |
Internal name | Wextract |
Original filename | WEXTRACT.EXE .MUI |
Legal copyright | © Microsoft Corporation. All rights.. |
Product version | 11.00.15063.0 |
File version | 11.00.15063.0 (WinBuild.160101.0800) |
pupdate.exe has a valid digital signature.
Property | Value |
---|---|
Signer name | TERSER TUDE LTD |
Certificate issuer name | DigiCert EV Code Signing CA (SHA2) |
Certificate serial number | 0dca26c9a2db5e5edd0e49f9790612cf |
10 of the 72 anti-virus programs at VirusTotal detected the pupdate.exe file. That's a 14% detection rate.
Scanner | Detection Name |
---|---|
CAT-QuickHeal | Trojan.Agent |
Comodo | ApplicUnwnt@#14jdu3q053jzt |
Cyren | W32/Trojan.ARRO-0864 |
ESET-NOD32 | MSIL/Somoto.A potentially unwanted |
Ikarus | PUA.MSIL.Somoto |
K7AntiVirus | Adware ( 00549ceb1 ) |
K7GW | Adware ( 00549ceb1 ) |
Malwarebytes | PUP.Optional.AppSync.TskLnk |
Microsoft | PUA:Win32/Somoto |
Sophos | Generic PUA MG (PUA) |
The following information was gathered by executing the file inside Cuckoo Sandbox.
Successfully executed process in sandbox.
{ "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "file_recreated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "\\Device\\KsecDD" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe" ], "dll_loaded": [ "imagehlp.dll", "API-MS-Win-Security-LSALookup-L1-1-0.dll", "DNSAPI.dll", "SHELL32.dll", "dwmapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll", "C:\\Windows\\system32\\advpack.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll", "ncrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll", "API-MS-WIN-Service-Management-L2-1-0.dll", "crypt32.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "SspiCli.dll", "advapi32.dll", "psapi.dll", "SHLWAPI.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll", "USER32.dll", "C:\\Windows\\syswow64\\CRYPT32.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll", "C:\\Windows\\System32\\wship6.dll", "feclient.dll", "setupapi.dll", "iphlpapi.dll", "CFGMGR32.dll", "C:\\Windows\\System32\\wshtcpip.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll", "urlmon.dll", "ntdll", "apphelp.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll", "kernel32.dll", "oleaut32.dll", "SensApi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "cryptsp.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "IPHLPAPI.DLL", "RichEd20.dll", "uxtheme.dll", "winhttp.dll", "profapi.dll", "comctl32.dll", "RpcRtRemote.dll", "WINTRUST.DLL", "C:\\Windows\\system32\\cryptnet.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll", "DEVRTL.dll", "Cabinet.dll", "user32.dll", "WINHTTP.dll", "gdi32.dll", "ws2_32.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "CRYPTSP.dll", "credssp.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll", "ole32.dll", "NSI.dll", "mscorsec.dll", "SXS.DLL", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll", "ADVAPI32.dll", "WS2_32.dll", "gdiplus.dll", "C:\\Windows\\system32\\advapi32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "imm32.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "cryptnet.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Runtime.Seri#\\4a984a9ad59d14063bc6ae64a0c8f62a\\System.Runtime.Serialization.ni.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "version.dll", "shell32.dll", "OLEAUT32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll", "RPCRT4.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "sxs.dll", "mscoree.dll", "C:\\Windows\\system32\\mswsock.dll", "AdvApi32.dll" ], "file_opened": [ "C:\\Windows\\Fonts\\msyh.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat", "C:\\Windows\\Fonts\\tahoma.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Windows\\Fonts\\msjh.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Windows\\assembly\\pubpol4.dat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Windows\\System32\\l_intl.nls", "C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Windows\\Fonts\\malgun.ttf", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log", "C:\\Windows\\SysWOW64\\ieframe.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config", "C:\\Windows\\Fonts\\micross.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Windows\\Fonts\\segoeui.ttf", "C:\\Windows", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "command_line": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\UrlDllGetObjectUrl", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllPutSignedDataMsg", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\00000005", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\UrlDllGetObjectUrl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllEncodeObjectEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{06C9E010-38CE-11D4-A2A3-00104BD35090}", "HKEY_CLASSES_ROOT\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InprocServer32", "HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllVerifyEncodedSignature", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}", "HKEY_CLASSES_ROOT\\AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Fonts", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_CURRENT_USER\\EUDC\\1252", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus", "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllConvertPublicKeyInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\TVO", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Runtime.Serialization__b77a5c561934e089", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_CLASSES_ROOT\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.1.1", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\33abb01d\\69ef69c7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllConvertPublicKeyInfo", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyRevocation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.SMDiagnostics__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\do\\OpenWithProgids", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}", "HKEY_CLASSES_ROOT\\do", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\SchemeDllRetrieveEncodedObjectW", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\TimeValidDllGetObject", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy", "HKEY_CLASSES_ROOT\\AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1A610570-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\ChainEngine\\Config", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{846EE342-7039-11DE-9D20-806E6F6E6963}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllGetSignedDataMsg", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\do", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{000C10F1-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\ContextDllCreateObjectContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\TimeValidDllGetObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx2", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1", "HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllVerifyEncodedSignature", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\SchemeDllRetrieveEncodedObjectW", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.12", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\ContextDllCreateObjectContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v4.0", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllVerifyIndirectData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.4", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.5.System.Core__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation\\DEFAULT", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AppSync.exe", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e", "HKEY_CURRENT_USER\\TypeLib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Advanced INF Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a" ], "resolves_host": [ "ocsp.digicert.com", "crl4.digicert.com", "crl3.digicert.com" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "regkey_deleted": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp" ], "directory_removed": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\", "C:\\Windows\\Fonts\\ahronbd.ttf", "C:\\Windows\\System32\\qagentrt.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Windows\\inf\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.PDB", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Windows\\System32\\p2pcollab.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Windows\\Globalization\\en.nlp", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Windows\\System32\\MSCOREE.DLL.local", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "mutex": [ "Global\\.net clr networking" ], "file_failed": [ "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\2659C1A560AB92C9C29D4B2B25815AE8", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_3F584A3392BB586FC541F0F81FC9D443", "C:\\Windows\\symbols\\dll\\mscorlib.pdb", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0270780F846F08BEFE0DD8112D932FEF", "C:\\Windows\\symbols\\exe\\AppSync.pdb", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.pdb", "C:\\Windows\\exe\\AppSync.pdb", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config", "C:\\Windows\\dll\\mscorlib.pdb", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_DD7CBED22FCB4DBB59011DF9ECBBC293", "C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\config.txt", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6E47DC54834F661FE77B461D2DF73D9D", "C:\\Windows\\AppSync.pdb", "C:\\Windows\\mscorlib.pdb", "C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\ToUnzip\\pref.txt", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_943A1DFFA777580B483765AB2C11CA95", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\782AC1F7D5B160B0F71F6F92B0912799", "C:\\Users\\cuck\\AppData\\Roaming\\AppMaster\\pref.txt", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.pdb" ], "wmi_query": [ "select * from Win32_OperatingSystem", "SELECT * FROM Win32_PhysicalMedia", "Select ProcessorId From Win32_processor" ], "guid": [ "{00000000-0000-0000-c000-000000000046}", "{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{44aca674-e8fc-11d0-a07c-00c04fb68820}", "{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}", "{674b6698-ee92-11d0-ad71-00c04fd8fdff}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{8856f961-340a-11d0-a96b-00c04fd705a2}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{871c5380-42a0-1069-a2ea-08002b30309d}", "{000214e6-0000-0000-c000-000000000046}", "{00000001-0000-0000-c000-000000000046}", "{dc12a687-737f-11cf-884d-00aa004b2e24}" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Windows\\SysWOW64\\ieframe.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\409ACDAA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\\1.1\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\SMDiagnostics,3.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Advanced INF Setup\\AdvpackLogFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization,3.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName", "HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\NavigationDelay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InProcServer32\\Class", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\svcVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Core,3.5.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4" ], "directory_enumerated": [ "C:\\Windows\\Microsoft.NET\\Framework\\v4.0\\mscorwks.dll", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP", "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI", "C:\\Users", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_*", "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Serialization\\3.0.0.0__b77a5c561934e089\\System.Runtime.Serialization.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_*", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.INI", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.INI", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP" ] }
[ { "yara": [], "sha1": "ac9fce1ca9c8688ad9e2719d71e5aefc3e5571bd", "name": "74f81af2f738bb99_retake.css", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "type": "ASCII text, with CRLF line terminators", "sha256": "74f81af2f738bb995aadc325b7ba48c14587c767e9c12256e10fe7434343ae26", "urls": [], "crc32": "C84B849D", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/74f81af2f738bb99_retake.css", "ssdeep": null, "size": 1996, "sha512": "0ab07f5d6b6d587f6a84d5e0b0bd3759607618e864df43abbfcb2c831e0ed98be2fe9e093b7546c5c451b5fae647a0ea4a07b3ee3faf7195eda8c344430f15be", "pids": [ 2816 ], "md5": "586303d7a26f62bc73e3d5b2fc855c54" }, { "yara": [], "sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0", "name": "4c9c4d831d61c8c3_CabA6D3.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "type": "Microsoft Cabinet archive data, 56952 bytes, 1 file", "sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822", "urls": [], "crc32": "5168F337", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/4c9c4d831d61c8c3_CabA6D3.tmp", "ssdeep": null, "size": 56952, "sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a", "pids": [ 1676 ], "md5": "04d79a0dc77a8f449cbff6252862d398" }, { "yara": [], "sha1": "6f93267f1ec87b812f84943239a86b7b885fe7ae", "name": "87908dc75d88431a_brand.js", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "type": "ASCII text", "sha256": "87908dc75d88431abeabe25cb26e98db2c5d84db22346aaa03fb85d434045f9e", "urls": [ "http:\/\/pdfpro100.com\/", "http:\/\/www.", "http:\/\/pdfpro100.com\/eula.html" ], "crc32": "2C26EE5E", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/87908dc75d88431a_brand.js", "ssdeep": null, "size": 2165, "sha512": "9eed2018b3bc095a4cb3371a0b017c64390e19a4cb1f7d140818d0baa4eae6812828852ab3ebe518bc07d79a40628e5fcbbf22c271873489f7cff34779fa330e", "pids": [ 2816 ], "md5": "420c83217cadf93d566f46c0e85c22a0" }, { "yara": [], "sha1": "b6c3783716a43f0294e8fca008acddd22a169150", "name": "c7f6d5516f4d81e5_install.js", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "type": "ASCII text, with CRLF line terminators", "sha256": "c7f6d5516f4d81e53542c0ea635fa636f5e267ea12cd62574cb44a2d0ee54cf7", "urls": [], "crc32": "3A80011F", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/c7f6d5516f4d81e5_install.js", "ssdeep": null, "size": 5146, "sha512": "b5d367b6f9254ee1b0ed82d06e1212b7bd698e0dc8a0d006bcbbc9cad37be2e6e7ef25cd579cab0b692a977d43aa81b42da484b50247a8dfc0a45e00d940c4d4", "pids": [ 2816 ], "md5": "bdcf87e9314d51510eaccba2be09e727" }, { "yara": [], "sha1": "305ee32875bbcceed33b60a77ea509ed22f16379", "name": "71c0c7cc191a2cbf_bg.jpg", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "type": "JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1500x844, frames 3", "sha256": "71c0c7cc191a2cbf3ddf033ca7ba97adb46a04284f014c667574c1bf1fb0f1f3", "urls": [ "http:\/\/ns.adobe.com\/xap\/1.0\/mm\/", "http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef", "http:\/\/ns.adobe.com\/xap\/1.0\/" ], "crc32": "C6264637", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/71c0c7cc191a2cbf_bg.jpg", "ssdeep": null, "size": 72441, "sha512": "4d0a4ab42423592b431534a9ad8991e139c09c9f501fe67867773ea07ef63e8719e4105b9d154fae467a3b65be07cedd1ce869a00b7fdd815059ff0044b2e0de", "pids": [ 2816 ], "md5": "410e67276b4c3a0ad73bc3eecdcd0d6d" }, { "yara": [], "sha1": "d9aa9f95d97737ba627f9d68971366feb8ea247b", "name": "bc19898e37cd9ab7_win10_install.css", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "type": "ASCII text, with CRLF line terminators", "sha256": "bc19898e37cd9ab71dfc81ea24cabc571ae5d00766c21b384919df3c30b85bc2", "urls": [ "https:\/\/fonts.googleapis.com\/css?family=Open" ], "crc32": "502DC31A", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/bc19898e37cd9ab7_win10_install.css", "ssdeep": null, "size": 8928, "sha512": "da1a239a927426650e11976ebd0c0861ae09f9552cd4046f3f4ce91df8b6a63f9f1775c98402312877889630f9492312708239932313b52c78b4b741c57d245d", "pids": [ 2816 ], "md5": "f42cd9b3a68fe9aea276eee4708473f9" }, { "yara": [], "sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231", "name": "b0a39e28d93f7822_TarA6D4.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "type": "data", "sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc", "urls": [ "http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0", "http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07", "http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0", "http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0", "http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u" ], "crc32": "B495BE07", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/b0a39e28d93f7822_TarA6D4.tmp", "ssdeep": null, "size": 138525, "sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46", "pids": [ 1676 ], "md5": "0e34ebf89b843b303f0fb5f194be9d28" }, { "yara": [], "sha1": "928937c244180ebd616ecdd726fbdcc48ad2079f", "name": "4037a85bf6224a74_logo.png", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "type": "PNG image data, 128 x 128, 8-bit\/color RGBA, non-interlaced", "sha256": "4037a85bf6224a74a837a2e7ecced0c71816f3ea49d116476a1f0ede963db40d", "urls": [], "crc32": "33AEF962", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/4037a85bf6224a74_logo.png", "ssdeep": null, "size": 9002, "sha512": "a6160a5e53d395a843262b3c05cfccb1fc9d6bd34076854bb92466f073f322bfe040fbb4d4947ebc5d14d4345408df60eb6869073c7851329178dda9e2f2b56c", "pids": [ 2816 ], "md5": "eb4c64430e6d9d564cb61bbfc97f26f5" }, { "yara": [], "sha1": "0bff0b9678cf53d4f19bc4f00e1a736f97f6a2a3", "name": "1be86474e1b66764_loader.gif", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "type": "GIF image data, version 89a, 90 x 90", "sha256": "1be86474e1b66764f38a8362dcb98ca55237d749515114ee6cdfdb6f0903f148", "urls": [ "http:\/\/ns.adobe.com\/xap\/1.0\/mm\/", "http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef", "http:\/\/ns.adobe.com\/xap\/1.0\/" ], "crc32": "DCD44B2E", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/1be86474e1b66764_loader.gif", "ssdeep": null, "size": 64825, "sha512": "4c49c3885679de638ffcfe29a658d37cd0e422774f94c90e54e1c5a1b70bf2f5c24262e5212ad3a9060f9cd2ba0d84c008b5beeb867d07ca8518781e00249f34", "pids": [ 2816 ], "md5": "72e5f3e5e94851d1091e6703d9a63550" }, { "yara": [], "sha1": "91af479a1ca2888b1f63e8d459020161fcd89fde", "name": "fda69691d16ff902_1517143390278_1512482433840_logo.png", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "type": "PNG image data, 260 x 174, 8-bit\/color RGBA, non-interlaced", "sha256": "fda69691d16ff902c54db60cab6b765b1026170527162483dcb5be38c918d79e", "urls": [ "http:\/\/ns.adobe.com\/xap\/1.0\/mm\/", "http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef", "http:\/\/ns.adobe.com\/xap\/1.0\/" ], "crc32": "50E664C7", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/fda69691d16ff902_1517143390278_1512482433840_logo.png", "ssdeep": null, "size": 22733, "sha512": "ba459609ac3029df56eb7b2a630ebbb9e7dda1df9a4277f0568342d5bafb530f3d28b612d94ef37ed89d2a9070e4928eb498d7513810b93fedcac53a224d4e0f", "pids": [ 2816 ], "md5": "1b3b1b185013a718549ad7ecef41aa46" }, { "yara": [], "sha1": "9614e4c1cfa4d67187fc7de313f63100c9428c02", "name": "741aab644ed45961_install.html", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "type": "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators", "sha256": "741aab644ed45961879774546c9b87c3a2e25283e489221469cb6d0dcd39d623", "urls": [], "crc32": "26500F3E", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/741aab644ed45961_install.html", "ssdeep": null, "size": 15770, "sha512": "6ff7114ae0522cd843cd3bf8d0bbfdc8ce19f0ce8a339b84940011b5a0f0ded97863f7e005df1819977df4806e125d671d1d0ad2ed235485c9ba4d6cb2da9189", "pids": [ 2816 ], "md5": "5df42d9dd9fe8b3c98fe3feabad67cf7" }, { "yara": [], "sha1": "7eb2161d66d1bd1bb105fb6089d4c3622493d93b", "name": "e87b23079eff1ca2_appsync.exe", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "type": "PE32 executable (GUI) Intel 80386 Mono\/.Net assembly, for MS Windows", "sha256": "e87b23079eff1ca296159506531ea8b02f18efc347fc7dea68c6acfdd30e3bf8", "urls": [ "http:\/\/crl3.digicert.com\/DigiCertHighAssuranceEVRootCA.crl0", "http:\/\/www.apache.org\/licenses\/LICENSE-2.0", "http:\/\/crl4.digicert.com\/EVCodeSigningSHA2-g1.crl0K", "http:\/\/cacerts.digicert.com\/DigiCertAssuredIDRootCA.crt0", "http:\/\/dev.search.strtpoint.com\/results.html?c=1", "http:\/\/cacerts.digicert.com\/DigiCertHighAssuranceEVRootCA.crt0", "http:\/\/crl3.digicert.com\/EVCodeSigningSHA2-g1.crl07", "http:\/\/www.apache.org\/).", "http:\/\/www.mozilla.org\/2004\/em-rdf", "http:\/\/cacerts.digicert.com\/DigiCertSHA2AssuredIDTimestampingCA.crt0", "http:\/\/ocsp.digicert.com0C", "http:\/\/ocsp.digicert.com0O", "http:\/\/crl3.digicert.com\/DigiCertAssuredIDRootCA.crl0P", "http:\/\/ocsp.digicert.com0I", "http:\/\/ocsp.digicert.com0H", "http:\/\/crl4.digicert.com\/DigiCertHighAssuranceEVRootCA.crl0", "http:\/\/crl3.digicert.com\/sha2-assured-ts.crl02", "http:\/\/crl4.digicert.com\/sha2-assured-ts.crl0", "https:\/\/www.nuget.org\/packages\/Newtonsoft.Json.Bson", "http:\/\/www.apache.org\/licenses\/", "http:\/\/cacerts.digicert.com\/DigiCertEVCodeSigningCA-SHA2.crt0", "http:\/\/crl4.digicert.com\/DigiCertAssuredIDRootCA.crl0:", "https:\/\/www.digicert.com\/CPS0", "http:\/\/www.digicert.com\/ssl-cps-repository.htm0", "http:\/\/www.newtonsoft.com\/jsonschema" ], "crc32": "5F5A36FE", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/e87b23079eff1ca2_appsync.exe", "ssdeep": null, "size": 4139992, "sha512": "0ddf20c7b54d6c60fdcc7680b881a8c7df5cee5f69cd986197f22a1e8443f6ab09e6d83b45e16dbdd8ace43e84b3302cbb1baef39ecaf232607c744c2a815ec8", "pids": [ 2816 ], "md5": "7ac9ce6a69f0448ec8bd0ebbff3fbb09" }, { "yara": [], "sha1": "339802872d30316fc62bebc0ff83247d885d2a67", "name": "1fbfd07ee6638e19_win10_install.js", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "type": "ASCII text, with CRLF line terminators", "sha256": "1fbfd07ee6638e19f0297ba310a239adf0b5750930753267a0d5f381209f7992", "urls": [], "crc32": "2D5977CA", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/1fbfd07ee6638e19_win10_install.js", "ssdeep": null, "size": 5146, "sha512": "64d6a642864892ebdca267d58a94a1812f4079692fb5802ae7c8c4acd7a7440691b40783235dd404361ffe16acbaa55843fe71850e7cffabdd46e36ef1c12edf", "pids": [ 2816 ], "md5": "aea0f51c10a958068049db2e6dda6898" }, { "yara": [], "sha1": "584b5011c80f1acc9a54392720d047152eb8d2a8", "name": "3cd3fc529dd87021_config.txt", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "type": "ASCII text, with very long lines", "sha256": "3cd3fc529dd87021b78fe84e5f9135ddb012ce246cd88c5e54f5d08c75713842", "urls": [ "http:\/\/suggestqueries.google.com\/complete\/search?output=firefox", "http:\/\/pdfpro100.com\/uninstall.html", "http:\/\/pdfpro100.com\/", "http:\/\/www.mozilla.org\/2006\/browser\/search\/", "http:\/\/pdfpro100.com\/eula.html", "http:\/\/pdfpro100.com\/thankyou.html" ], "crc32": "CB60BF44", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/3cd3fc529dd87021_config.txt", "ssdeep": null, "size": 3714, "sha512": "f5244c1eb5dfec5db1826ab5438aa0564f16722d510d87c3e4720cba14d4d87a2bbb95af645bfd6eedcb96587b8767c3de28e148511fd8245fb8ef1d946218cf", "pids": [ 2816 ], "md5": "82cf36f79f23dfe18bf41f8c32947a89" }, { "yara": [], "sha1": "98951a27c49c751f23bd80978af5cd802a9d6eaf", "name": "dc969c1bba33448b_retake.js", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "type": "ASCII text, with CRLF line terminators", "sha256": "dc969c1bba33448b36ab95d00e974151b5c5b2c27037c0b52a7280671375aed5", "urls": [], "crc32": "B750D54C", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/dc969c1bba33448b_retake.js", "ssdeep": null, "size": 1264, "sha512": "3b65a0eb00c635d80384108c5018395502a65ba0ea4df1eae9b2f6e8c2cc97b895d146dc4024312a2f32c0d860ce61777d0d39a202d7580fd86039f3809db009", "pids": [ 2816 ], "md5": "916f6cbef42b826dc557fdb34e1cc1dd" }, { "yara": [], "sha1": "bd6f6d08919c801ca943e1dc27bcb99c54da53f4", "name": "64e1417b6762ec16_1517130957005_490x60.png", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "type": "PNG image data, 490 x 60, 8-bit\/color RGB, non-interlaced", "sha256": "64e1417b6762ec16151ad20e629c5a1368325f3470cf5ae1fea86489977076fa", "urls": [ "http:\/\/ns.adobe.com\/xap\/1.0\/mm\/", "http:\/\/ns.adobe.com\/xap\/1.0\/", "http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef" ], "crc32": "C4B21B52", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/64e1417b6762ec16_1517130957005_490x60.png", "ssdeep": null, "size": 8674, "sha512": "d8c63ab2a87e7a449536ef0c14239597bd9eac4a5aa76605cf8abac99c611755875488ce9a63efb097446f8ef061116f80c78d20438ea2f8d489b6ed3cf687a3", "pids": [ 2816 ], "md5": "c983548175b1c8e5e374e18343358d9b" }, { "yara": [], "sha1": "48083f62696ac80bdf01e0bb7129ef31744cbc9b", "name": "2017751dc60014c0_win10_install.html", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "type": "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators", "sha256": "2017751dc60014c0f53f2ed6aa2a4458fe0bccc8f8142fbdd85250d4cf5b2883", "urls": [], "crc32": "0D3CAE21", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/2017751dc60014c0_win10_install.html", "ssdeep": null, "size": 15739, "sha512": "b534001c7a3b8f0d1daba556282495643d8f3a197988289853b52bcac7ae8833ca75355503397ae152a2071cbdc1d40a605b665f411b232cf9a86664ed8ae8ed", "pids": [ 2816 ], "md5": "5c27c2c2ca5b0df190283a7423e75f04" }, { "yara": [], "sha1": "e096bbcd97fd1790e31458e2bc253fdfc4ab1375", "name": "8e6d6b21b7bf81b7_uninstall.js", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "type": "ASCII text, with CRLF line terminators", "sha256": "8e6d6b21b7bf81b7be3388dba2f85726c66fa622cc2d5e45d1bed8fe12e440fb", "urls": [], "crc32": "02C6C7EB", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/8e6d6b21b7bf81b7_uninstall.js", "ssdeep": null, "size": 4324, "sha512": "1eb8180e5d2b777d191432143857437e0d6965edac98a8d63d2393ed884b8aac9858c792777be8279620a4cb2a0b9235fdb79f87a32ef1056a0e84bb12cca771", "pids": [ 2816 ], "md5": "863bd26ad590de3826d2e4e8a3e069f6" }, { "yara": [], "sha1": "f53c9b07c52e3223aadff9382c00e41d1916e839", "name": "177d7c8e26a11358_uninstall.html", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "type": "HTML document, ASCII text, with CRLF line terminators", "sha256": "177d7c8e26a11358c654f9b8b3e59f8f0c9f6e895fb4a506492ad2d1f636ff50", "urls": [], "crc32": "CF1B1E75", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/177d7c8e26a11358_uninstall.html", "ssdeep": null, "size": 3743, "sha512": "46bdb3017dae8b61b1528d371e3df11beaa0af49867a7ffd34e69bcb08c59e2214dd2d058324b21b4b1363dad4b9efeba3a323d59ddc47216ee8101eb5e2cb23", "pids": [ 2816 ], "md5": "e22832f34b41681ddd94ef4a3f4d2987" }, { "yara": [], "sha1": "ecd7e702be234a01bd321b8349714372f6502a49", "name": "f59273ab63d15f3e_pref.txt", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "type": "ASCII text, with very long lines, with no line terminators", "sha256": "f59273ab63d15f3e82d62244c4a3048ef0969582f675121c48da1898a5413d47", "urls": [ "http:\/\/baseapp.pdfpro100.com", "http:\/\/current.pdfpro100.com\/pronto\/application\/pdfpro100.com\/pref.json", "http:\/\/inf.pdfpro100.com\/api\/report\/?", "http:\/\/chkapp.pdfpro100.com\/api\/tech\/pc\/update\/check", "http:\/\/rest.pdfpro100.com", "http:\/\/current.pdfpro100.com\/pronto\/application\/pdfpro100.com\/favicon.ico", "http:\/\/lgc.pdfpro100.com\/task-for?" ], "crc32": "51FB78E5", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/f59273ab63d15f3e_pref.txt", "ssdeep": null, "size": 606, "sha512": "6c06ab89c5180cfd748bdeccdee2b40632f4cc2125eee341e6945f152e650c505b1f35a46c6facd0f7397785f70638ae4e58a9bfebe1deba8ed7eee7a465983e", "pids": [ 2816 ], "md5": "c694fdaa959c44d01a155dfeeeb3bd6b" }, { "yara": [], "sha1": "849b3031586708baf855f51f7f57b1286d621a37", "name": "a6b4b5e7745fdf24_alert-icon.png", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "type": "PNG image data, 34 x 34, 8-bit\/color RGBA, non-interlaced", "sha256": "a6b4b5e7745fdf240edbad76e248ca52f21539b678971adedcef3cd9bcfd29f7", "urls": [ "http:\/\/ns.adobe.com\/xap\/1.0\/mm\/", "http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef", "http:\/\/ns.adobe.com\/xap\/1.0\/" ], "crc32": "A7C69B64", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/a6b4b5e7745fdf24_alert-icon.png", "ssdeep": null, "size": 2892, "sha512": "2fc26858caa16c9fc17288d4f8357487905c62a3f158ca6ca2b17660c43b3686f1e64061c4c161fc3a32559215ea664c939969d75744cc881c10e671ee1019fc", "pids": [ 2816 ], "md5": "205df663a373feac8bbd39c72faded95" }, { "yara": [], "sha1": "9e89d1515bc4c371b86f4cb1002fd8e377c1829f", "name": "9365920887b11b33_jquery-3.2.1.slim.min.js", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "type": "ASCII text, with very long lines", "sha256": "9365920887b11b33a3dc4ba28a0f93951f200341263e3b9cefd384798e4be398", "urls": [], "crc32": "7EA11C46", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/9365920887b11b33_jquery-3.2.1.slim.min.js", "ssdeep": null, "size": 69597, "sha512": "cab8c4afa1d8e3a8b7856ee29ae92566d44ceead70c8d533f2c98a976d77d0e1d314719b5c6a473789d8c6b21ebb4b89a6b0ec2e1c9c618fb1437ebc77d3a269", "pids": [ 2816 ], "md5": "5f48fc77cac90c4778fa24ec9c57f37d" }, { "yara": [], "sha1": "1e003e627b9d8b0033f2b890053925a795c3660d", "name": "d6ca195e9e1531ae_appsync.exe.config", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "type": "XML 1.0 document, ASCII text, with CRLF line terminators", "sha256": "d6ca195e9e1531ae1c2016147530e2803bde68f8ce19b88506e1bda9f4a272b8", "urls": [], "crc32": "6C802FCC", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/d6ca195e9e1531ae_appsync.exe.config", "ssdeep": null, "size": 239, "sha512": "7a3f81c8e5df56c29f1706589d70bbb8709087ff23ccc0cc85ba653f0e591585496b02afda7360abbaced20d7145996e813334093e2850079a4937da5e8ed6cb", "pids": [ 2816 ], "md5": "2d3d9edf445c408dd56576d039630fbf" }, { "yara": [], "sha1": "4311d8f17ce94fcffbb9601e18410e80463d072b", "name": "beefc7696051c720_spinner.gif", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "type": "GIF image data, version 89a, 38 x 40", "sha256": "beefc7696051c720e15736a3b62d8f66a1dd955adb43a5653e94d9bb3bfe5aa3", "urls": [], "crc32": "3C2A20BE", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/beefc7696051c720_spinner.gif", "ssdeep": null, "size": 4640, "sha512": "6e3fd3f4f8682a48602dd4d5c4bd3a6769314139f1aad1f626c77ba696e57d5be72a679dc20f6c57f66c48d8a235468de4589e80d052339fed149f1c6fe6132b", "pids": [ 2816 ], "md5": "6f346e7f3244264676a2e3a286ad9509" }, { "yara": [], "sha1": "89a323725dc7fb9aea9ea67b397ae041295b6d36", "name": "4e257e9221ea5c80_uninstall.css", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "type": "ASCII text, with CRLF line terminators", "sha256": "4e257e9221ea5c80e98ea0e172e8e29f7af8ae74c10e16b3e359ef799610aebf", "urls": [], "crc32": "81A61906", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/4e257e9221ea5c80_uninstall.css", "ssdeep": null, "size": 5523, "sha512": "89839431b5270e839a6add220525dbb97ab3c06f648fa6aa55c1703dc624fa4abbf78a35b8fa91d4b944871c76216f1f1ad1678e8c4c4911950fd2972e3d6e15", "pids": [ 2816 ], "md5": "b137f09fc5a86e204181a9ab991a6fac" }, { "yara": [], "sha1": "93aaf6c4f65ea9d27b8c0d86832926f2e16f596d", "name": "2fa4044bc6ea21c1_pdfpro100.ico", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "type": "MS Windows icon resource - 6 icons, 256x256", "sha256": "2fa4044bc6ea21c14b87d7e35b865a60046d329f9881baf13ddd435ac0657063", "urls": [], "crc32": "83BDE31C", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/2fa4044bc6ea21c1_pdfpro100.ico", "ssdeep": null, "size": 370070, "sha512": "3dbda40f5e343eccd0ed8cf24abea1633bae5d06e052b10833728638330bce4f07aeaecbc557f5d0bb94c815db94ae26146639183c3918a303188414e269b3c8", "pids": [ 2816 ], "md5": "ddfad33d3b32f121bbd103237057325d" }, { "yara": [ { "meta": { "description": "Possibly employs anti-virtualization techniques", "author": "nex" }, "name": "vmdetect", "offsets": { "virtualbox_mac_1c": [ [ 5027, 0 ], [ 5138, 0 ], [ 5420, 0 ] ] }, "strings": [ "MDgwMDI3" ] } ], "sha1": "8a58821ce6206f5a852b28c486c1deb9b16256ab", "name": "5dec3071bd7b6c43_all.log", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log", "type": "ASCII text, with CRLF line terminators", "sha256": "5dec3071bd7b6c4394c9b0fc0186cd44ae2bc2aafe526eb0731a33d26df8fee0", "urls": [], "crc32": "38CF69B3", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/5dec3071bd7b6c43_all.log", "ssdeep": null, "size": 6675, "sha512": "8d0469d371c8bc7e53e7ed57aea18fbca2ba182c72beaa0e07683aff037ac6326a12e88afd23a3a9e3d2c5b6faf02b66e8aab477c2715388d44832acb9594278", "pids": [ 1676 ], "md5": "d87efe498be876e6b63dc3b6137fa7ea" }, { "yara": [], "sha1": "02b2d1365afa504c8298404c6491935f49278b54", "name": "9b59c4be219676b6_install.css", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "type": "ASCII text, with CRLF line terminators", "sha256": "9b59c4be219676b6ac3d478d3044c98d46d1ea131c5792ada18b0d7b586fba5e", "urls": [], "crc32": "8F82884A", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/9b59c4be219676b6_install.css", "ssdeep": null, "size": 9154, "sha512": "6627519cec0b5ed4b1cb393f5fa114ffe4a34d20ede8694cca285bc8292f9de2c80f4144be14e2ef35d04b22c29328e828881784c5d34d6d47c445f9df8cf453", "pids": [ 2816 ], "md5": "744924daea3046f00e025ce60b6c311b" }, { "yara": [], "sha1": "beab9fc3c0f2be6e3bdddcef86949a9f52131c5f", "name": "05eb6004d5d029dd_action.log", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "type": "ASCII text, with CRLF line terminators", "sha256": "05eb6004d5d029dd0f9f87b292fce57eb5e6a3fb75ccf819d76c89ffeb5d7102", "urls": [], "crc32": "AE5DD364", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/05eb6004d5d029dd_action.log", "ssdeep": null, "size": 73, "sha512": "ca52ddc6bd7e2f52470c5ac7317af9662ee362884cb39ab9c96d33ca6e8139f60ac179c95028ba27ce1641d6eb25fc5987e773f511590eb75d3a736ea8815da3", "pids": [ 1676 ], "md5": "a439fb7ea8e5de8703f3956382fc053e" }, { "yara": [], "sha1": "c0a5649cd94a8954dea1f5d5b45ac6e505bc17a3", "name": "ccb4ccbee52f5378_retake.html", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html", "type": "HTML document, UTF-8 Unicode text, with CRLF line terminators", "sha256": "ccb4ccbee52f5378d2f6a2a83653a86cb28a16725891d27a8f7e909089250183", "urls": [], "crc32": "7639D8BC", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/ccb4ccbee52f5378_retake.html", "ssdeep": null, "size": 1305, "sha512": "a6c3a29f34416214d342bc02eb706c6be7209eafdbe79c5468546bc49de5feb1a12f236eda313b0edc1a2d641e96bc3d93a87635a55c8c0e58e9e831b584e793", "pids": [ 2816 ], "md5": "6fc64a02a4d1c374766969a395e69649" } ]
[ { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\726fbfbd089ab537d9856d85281e07bc9e13906558169087551f875bc952b6b1.bin", "process_name": "726fbfbd089ab537d9856d85281e07bc9e13906558169087551f875bc952b6b1.bin", "pid": 2816, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP" ], "dll_loaded": [ "feclient.dll", "kernel32.dll", "C:\\Windows\\system32\\advapi32.dll", "C:\\Windows\\system32\\advpack.dll" ], "file_opened": [ "C:\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Windows", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Advanced INF Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "directory_removed": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html" ], "command_line": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Advanced INF Setup\\AdvpackLogFile" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0" ] }, "first_seen": 1574790785.875, "ppid": 2016 }, { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 476, "summary": {}, "first_seen": 1574790785.53125, "ppid": 376 }, { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "process_name": "AppSync.exe", "pid": 1676, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log" ], "file_recreated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "\\Device\\KsecDD" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe" ], "dll_loaded": [ "imagehlp.dll", "API-MS-Win-Security-LSALookup-L1-1-0.dll", "DNSAPI.dll", "SHELL32.dll", "dwmapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll", "ncrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll", "API-MS-WIN-Service-Management-L2-1-0.dll", "crypt32.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "SspiCli.dll", "advapi32.dll", "psapi.dll", "SHLWAPI.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll", "USER32.dll", "C:\\Windows\\syswow64\\CRYPT32.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll", "C:\\Windows\\System32\\wship6.dll", "setupapi.dll", "iphlpapi.dll", "CFGMGR32.dll", "C:\\Windows\\System32\\wshtcpip.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll", "urlmon.dll", "ntdll", "apphelp.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll", "kernel32.dll", "oleaut32.dll", "SensApi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "cryptsp.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "IPHLPAPI.DLL", "RichEd20.dll", "uxtheme.dll", "winhttp.dll", "profapi.dll", "comctl32.dll", "RpcRtRemote.dll", "WINTRUST.DLL", "C:\\Windows\\system32\\cryptnet.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll", "DEVRTL.dll", "Cabinet.dll", "user32.dll", "WINHTTP.dll", "gdi32.dll", "ws2_32.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "CRYPTSP.dll", "credssp.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll", "ole32.dll", "NSI.dll", "mscorsec.dll", "SXS.DLL", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll", "ADVAPI32.dll", "WS2_32.dll", "gdiplus.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "imm32.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "cryptnet.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Runtime.Seri#\\4a984a9ad59d14063bc6ae64a0c8f62a\\System.Runtime.Serialization.ni.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "version.dll", "shell32.dll", "OLEAUT32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll", "RPCRT4.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "sxs.dll", "mscoree.dll", "C:\\Windows\\system32\\mswsock.dll", "AdvApi32.dll" ], "file_opened": [ "C:\\Windows\\Fonts\\msyh.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat", "C:\\Windows\\Fonts\\tahoma.ttf", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Windows\\Fonts\\msjh.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Windows\\assembly\\pubpol4.dat", "C:\\Windows\\System32\\l_intl.nls", "C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui", "C:\\Windows\\Fonts\\malgun.ttf", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log", "C:\\Windows\\SysWOW64\\ieframe.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp", "C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config", "C:\\Windows\\Fonts\\micross.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "C:\\Windows\\Fonts\\segoeui.ttf", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\UrlDllGetObjectUrl", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllPutSignedDataMsg", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\00000005", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\UrlDllGetObjectUrl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllEncodeObjectEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{06C9E010-38CE-11D4-A2A3-00104BD35090}", "HKEY_CLASSES_ROOT\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InprocServer32", "HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllVerifyEncodedSignature", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}", "HKEY_CLASSES_ROOT\\AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Fonts", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_CURRENT_USER\\EUDC\\1252", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus", "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllConvertPublicKeyInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\TVO", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Runtime.Serialization__b77a5c561934e089", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_CLASSES_ROOT\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.1.1", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\33abb01d\\69ef69c7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllConvertPublicKeyInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyRevocation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.SMDiagnostics__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\do\\OpenWithProgids", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}", "HKEY_CLASSES_ROOT\\do", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\SchemeDllRetrieveEncodedObjectW", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\TimeValidDllGetObject", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy", "HKEY_CLASSES_ROOT\\AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1A610570-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\ChainEngine\\Config", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{846EE342-7039-11DE-9D20-806E6F6E6963}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllGetSignedDataMsg", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\do", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{000C10F1-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\ContextDllCreateObjectContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\TimeValidDllGetObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx2", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1", "HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllVerifyEncodedSignature", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\SchemeDllRetrieveEncodedObjectW", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.12", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\ContextDllCreateObjectContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v4.0", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllVerifyIndirectData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.4", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.5.System.Core__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation\\DEFAULT", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AppSync.exe", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e", "HKEY_CURRENT_USER\\TypeLib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a" ], "resolves_host": [ "ocsp.digicert.com", "crl4.digicert.com", "crl3.digicert.com" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log" ], "regkey_deleted": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp" ], "file_exists": [ "C:\\Windows\\inf\\", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.PDB", "C:\\Windows\\System32\\MSCOREE.DLL.local", "C:\\Windows\\Globalization\\en.nlp", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Windows\\Fonts\\ahronbd.ttf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\System32\\qagentrt.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP", "C:\\Windows\\System32\\p2pcollab.dll", "C:\\Users\\cuck\\AppData\\LocalLow" ], "mutex": [ "Global\\.net clr networking" ], "file_failed": [ "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\2659C1A560AB92C9C29D4B2B25815AE8", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_3F584A3392BB586FC541F0F81FC9D443", "C:\\Windows\\symbols\\dll\\mscorlib.pdb", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0270780F846F08BEFE0DD8112D932FEF", "C:\\Windows\\symbols\\exe\\AppSync.pdb", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.pdb", "C:\\Windows\\exe\\AppSync.pdb", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config", "C:\\Windows\\dll\\mscorlib.pdb", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_DD7CBED22FCB4DBB59011DF9ECBBC293", "C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\config.txt", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6E47DC54834F661FE77B461D2DF73D9D", "C:\\Windows\\AppSync.pdb", "C:\\Windows\\mscorlib.pdb", "C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\ToUnzip\\pref.txt", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_943A1DFFA777580B483765AB2C11CA95", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\782AC1F7D5B160B0F71F6F92B0912799", "C:\\Users\\cuck\\AppData\\Roaming\\AppMaster\\pref.txt", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.pdb" ], "wmi_query": [ "select * from Win32_OperatingSystem", "SELECT * FROM Win32_PhysicalMedia", "Select ProcessorId From Win32_processor" ], "guid": [ "{00000000-0000-0000-c000-000000000046}", "{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{44aca674-e8fc-11d0-a07c-00c04fb68820}", "{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}", "{674b6698-ee92-11d0-ad71-00c04fd8fdff}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{8856f961-340a-11d0-a96b-00c04fd705a2}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{871c5380-42a0-1069-a2ea-08002b30309d}", "{000214e6-0000-0000-c000-000000000046}", "{00000001-0000-0000-c000-000000000046}", "{dc12a687-737f-11cf-884d-00aa004b2e24}" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp", "C:\\Windows\\SysWOW64\\ieframe.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\409ACDAA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\\1.1\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\SMDiagnostics,3.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization,3.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName", "HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\NavigationDelay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InProcServer32\\Class", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\svcVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Core,3.5.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4" ], "directory_enumerated": [ "C:\\Windows\\Microsoft.NET\\Framework\\v4.0\\mscorwks.dll", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP", "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI", "C:\\Users", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_*", "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Serialization\\3.0.0.0__b77a5c561934e089\\System.Runtime.Serialization.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_*", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI", "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.INI", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.INI", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI" ] }, "first_seen": 1574790786.375, "ppid": 2816 } ]
[ { "markcount": 4, "families": [], "description": "Queries for the computername", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1574790807.031, "tid": 2184, "flags": {} }, "pid": 1676, "type": "call", "cid": 7908 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1574790807.109, "tid": 2700, "flags": {} }, "pid": 1676, "type": "call", "cid": 8125 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1574790807.188, "tid": 2872, "flags": {} }, "pid": 1676, "type": "call", "cid": 8559 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1574790807.266, "tid": 2624, "flags": {} }, "pid": 1676, "type": "call", "cid": 9117 } ], "references": [], "name": "antivm_queries_computername" }, { "markcount": 1, "families": [], "description": "Checks if process is being debugged by a debugger", "severity": 1, "marks": [ { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741700, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1574790786.484, "tid": 2872, "flags": {} }, "pid": 1676, "type": "call", "cid": 334 } ], "references": [], "name": "checks_debugger" }, { "markcount": 1, "families": [], "description": "This executable has a PDB path", "severity": 1, "marks": [ { "category": "pdb_path", "ioc": "wextract.pdb", "type": "ioc", "description": null } ], "references": [], "name": "has_pdb" }, { "markcount": 2, "families": [], "description": "Tries to locate where the browsers are installed", "severity": 1, "marks": [ { "category": "file", "ioc": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe", "type": "ioc", "description": null } ], "references": [], "name": "locates_browser" }, { "markcount": 1, "families": [], "description": "The file contains an unknown PE resource name possibly indicative of a packer", "severity": 1, "marks": [ { "category": "resource name", "ioc": "AVI", "type": "ioc", "description": null } ], "references": [], "name": "pe_unknown_resource_name" }, { "markcount": 3, "families": [], "description": "One or more processes crashed", "severity": 1, "marks": [ { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "0\nx\n5\nd\nf\n0\n4\n3\n5\n\n\n0\nx\n5\n5\n4\ne\nf\n8\n7\n\n\n0\nx\n5\n5\n4\ne\na\nb\nf\n\n\n0\nx\n5\n5\n4\ne\n4\nf\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n6\nd\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n6\nd\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n0\nc\n5\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n0\n6\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n2\n0\n6\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n0\ne\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n0\n5\n9\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\nd\na\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n7\n6\n1\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n7\n6\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n4\n3\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\n9\nd\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\nb\n3\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\nb\n3\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n3\n8\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\na\n8\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\na\n8\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\na\n8\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\na\n8\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n3\n8\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n1\n8\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n1\n8\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\n0\nc\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\nf\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\n1\n4\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\n1\n4\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\nb\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\n5\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\nb\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\nb\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n7\n1\n2\n3\nc\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\nf\n0\n3\n1\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\nd\n9\n2\n8\n4\n \n@\n \n0\nx\n6\ne\n4\n2\n9\n2\n8\n4\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\n9\n5\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n9\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\n9\n9\nf\n \n@\n \n0\nx\n6\ne\n4\n6\n9\n9\n9\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\nb\n1\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n7\n5\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\nb\n5\nc\n \n@\n \n0\nx\n6\ne\n4\n6\n9\nb\n5\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\na\n4\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n2\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n8\nc\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n8\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\n9\nf\n2\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n7\nb\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n3\na\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n3\na\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\n9\na\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n8\nc\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\n9\nf\n0\n \n@\n \n0\nx\n6\ne\n3\ne\nc\n9\nf\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n5\nd\n7\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\na\n4\nf\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nd\nd\nc\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nd\nd\nc\n1\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\nf\na\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n2\nc\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\nf\nf\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nc\nf\nf\n1\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\n8\n7\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n2\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n3\n2\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n3\n2\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\ne\nf\n3\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n3\n7\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\nf\n3\nb\n \n@\n \n0\nx\n6\ne\n4\n7\n7\nf\n3\nb\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\ne\n5\n0\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n1\nd\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n9\n8\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n9\n8\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\nd\ne\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n8\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n3\n0\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n3\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\nd\nc\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\na\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\ne\n0\nf\n \n@\n \n0\nx\n6\ne\n4\n7\n7\ne\n0\nf\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nC\nl\ni\ne\nn\nt\nR\ne\nc\nt\n+\n0\nx\nc\n5\n \nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n-\n0\nx\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n2\n7\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n2\n7\n\n\nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n+\n0\nx\n1\nb\n \nS\ne\nt\nR\ne\nc\nt\nE\nm\np\nt\ny\n-\n0\nx\n3\n8\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n4\nd\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n4\nd\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\nc\nd\n3\n \n@\n \n0\nx\n6\ne\nf\nc\n8\nc\nd\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n2\nf\n9\ne\n0\n \n@\n \n0\nx\n6\ne\nf\nf\nf\n9\ne\n0\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\n4\nf\na\n \n@\n \n0\nx\n6\ne\nf\nc\n8\n4\nf\na\n\n\n0\nx\na\n4\n0\na\n6\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\nc\ne\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n1\nc\nf\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n7\n9\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n7\n9\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n1\n3\n4\n1\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n4\n7\n5\nc\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n3\n8\ne\nc\n \n@\n \n0\nx\n6\ne\n3\nb\n3\n8\ne\nc\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n5\n9\nb\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\n0\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nb\n4\n6\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nb\n4\n6\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n9\nf\n9\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\na\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nf\na\n4\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nf\na\n4\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n4\nd\n5\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\nc\n8\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\na\n8\n0\n \n@\n \n0\nx\n6\ne\n3\nb\n4\na\n8\n0\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\na\n9\n3\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\n0\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n5\n0\n3\ne\n \n@\n \n0\nx\n6\ne\n3\nb\n5\n0\n3\ne\n\n\nS\no\nf\nt\nw\na\nr\ne\nU\np\nd\na\nt\ne\nM\ne\ns\ns\na\ng\ne\nB\no\nx\n+\n0\nx\n2\n7\n8\n9\n6\n \nI\nE\nA\ns\ns\no\nc\ni\na\nt\ne\nT\nh\nr\ne\na\nd\nW\ni\nt\nh\nT\na\nb\n-\n0\nx\n2\nb\n5\n8\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\nf\n0\n2\n2\n3\n \n@\n \n0\nx\n6\ne\n5\n4\n0\n2\n2\n3\n\n\nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n3\nd\nf\n0\n2\n \nG\ne\nt\nP\nr\ni\nv\na\nt\ne\nC\no\nn\nt\ne\nx\nt\ns\nP\ne\nr\nf\nC\no\nu\nn\nt\ne\nr\ns\n-\n0\nx\n1\n9\n7\n9\n7\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n9\n4\n1\n6\n8\n \n@\n \n0\nx\n7\n0\nc\ne\n4\n1\n6\n8\n\n\n0\nx\n5\n6\nf\n0\n6\na\ne\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n1\nb\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n1\nb\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n7\nb\n9\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n7\nb\n9\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n9\n4\ne\nc\nc\ne\n \n@\n \n0\nx\n6\nf\n7\n1\ne\nc\nc\ne\n\n\n0\nx\n5\n5\n4\n7\na\n4\n6\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n6\na\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n6\na\n5\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n1\n4\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n1\n4\n5", "registers": { "esp": 8298468, "edi": 8298888, "eax": 0, "ebp": 8298500, "edx": 2130566132, "ebx": 52737444, "esi": 52177724, "ecx": 0 }, "exception": { "instruction_r": "8b 01 ff 50 28 8b f0 ba 01 00 00 00 b9 f6 5e 1a", "instruction": "mov eax, dword ptr [ecx]", "exception_code": "0xc0000005", "symbol": "", "address": "0x5df1d23" } }, "time": 1574790806.953, "tid": 2872, "flags": {} }, "pid": 1676, "type": "call", "cid": 7509 }, { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "0\nx\n5\nd\nf\n1\nd\ne\na\n\n\n0\nx\n5\nd\nf\n0\n4\n6\ne\n\n\n0\nx\n5\n5\n4\ne\nf\n8\n7\n\n\n0\nx\n5\n5\n4\ne\na\nb\nf\n\n\n0\nx\n5\n5\n4\ne\n4\nf\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n6\nd\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n6\nd\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n0\nc\n5\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n0\n6\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n2\n0\n6\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n0\ne\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n0\n5\n9\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\nd\na\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n7\n6\n1\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n7\n6\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n4\n3\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\n9\nd\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\nb\n3\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\nb\n3\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n3\n8\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\na\n8\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\na\n8\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\na\n8\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\na\n8\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n3\n8\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n1\n8\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n1\n8\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\n0\nc\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\nf\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\n1\n4\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\n1\n4\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\nb\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\n5\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\nb\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\nb\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n7\n1\n2\n3\nc\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\nf\n0\n3\n1\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\nd\n9\n2\n8\n4\n \n@\n \n0\nx\n6\ne\n4\n2\n9\n2\n8\n4\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\n9\n5\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n9\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\n9\n9\nf\n \n@\n \n0\nx\n6\ne\n4\n6\n9\n9\n9\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\nb\n1\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n7\n5\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\nb\n5\nc\n \n@\n \n0\nx\n6\ne\n4\n6\n9\nb\n5\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\na\n4\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n2\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n8\nc\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n8\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\n9\nf\n2\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n7\nb\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n3\na\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n3\na\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\n9\na\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n8\nc\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\n9\nf\n0\n \n@\n \n0\nx\n6\ne\n3\ne\nc\n9\nf\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n5\nd\n7\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\na\n4\nf\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nd\nd\nc\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nd\nd\nc\n1\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\nf\na\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n2\nc\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\nf\nf\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nc\nf\nf\n1\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\n8\n7\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n2\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n3\n2\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n3\n2\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\ne\nf\n3\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n3\n7\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\nf\n3\nb\n \n@\n \n0\nx\n6\ne\n4\n7\n7\nf\n3\nb\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\ne\n5\n0\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n1\nd\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n9\n8\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n9\n8\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\nd\ne\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n8\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n3\n0\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n3\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\nd\nc\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\na\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\ne\n0\nf\n \n@\n \n0\nx\n6\ne\n4\n7\n7\ne\n0\nf\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nC\nl\ni\ne\nn\nt\nR\ne\nc\nt\n+\n0\nx\nc\n5\n \nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n-\n0\nx\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n2\n7\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n2\n7\n\n\nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n+\n0\nx\n1\nb\n \nS\ne\nt\nR\ne\nc\nt\nE\nm\np\nt\ny\n-\n0\nx\n3\n8\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n4\nd\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n4\nd\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\nc\nd\n3\n \n@\n \n0\nx\n6\ne\nf\nc\n8\nc\nd\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n2\nf\n9\ne\n0\n \n@\n \n0\nx\n6\ne\nf\nf\nf\n9\ne\n0\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\n4\nf\na\n \n@\n \n0\nx\n6\ne\nf\nc\n8\n4\nf\na\n\n\n0\nx\na\n4\n0\na\n6\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\nc\ne\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n1\nc\nf\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n7\n9\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n7\n9\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n1\n3\n4\n1\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n4\n7\n5\nc\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n3\n8\ne\nc\n \n@\n \n0\nx\n6\ne\n3\nb\n3\n8\ne\nc\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n5\n9\nb\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\n0\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nb\n4\n6\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nb\n4\n6\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n9\nf\n9\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\na\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nf\na\n4\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nf\na\n4\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n4\nd\n5\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\nc\n8\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\na\n8\n0\n \n@\n \n0\nx\n6\ne\n3\nb\n4\na\n8\n0\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\na\n9\n3\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\n0\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n5\n0\n3\ne\n \n@\n \n0\nx\n6\ne\n3\nb\n5\n0\n3\ne\n\n\nS\no\nf\nt\nw\na\nr\ne\nU\np\nd\na\nt\ne\nM\ne\ns\ns\na\ng\ne\nB\no\nx\n+\n0\nx\n2\n7\n8\n9\n6\n \nI\nE\nA\ns\ns\no\nc\ni\na\nt\ne\nT\nh\nr\ne\na\nd\nW\ni\nt\nh\nT\na\nb\n-\n0\nx\n2\nb\n5\n8\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\nf\n0\n2\n2\n3\n \n@\n \n0\nx\n6\ne\n5\n4\n0\n2\n2\n3\n\n\nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n3\nd\nf\n0\n2\n \nG\ne\nt\nP\nr\ni\nv\na\nt\ne\nC\no\nn\nt\ne\nx\nt\ns\nP\ne\nr\nf\nC\no\nu\nn\nt\ne\nr\ns\n-\n0\nx\n1\n9\n7\n9\n7\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n9\n4\n1\n6\n8\n \n@\n \n0\nx\n7\n0\nc\ne\n4\n1\n6\n8\n\n\n0\nx\n5\n6\nf\n0\n6\na\ne\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n1\nb\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n1\nb\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n7\nb\n9\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n7\nb\n9\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n9\n4\ne\nc\nc\ne\n \n@\n \n0\nx\n6\nf\n7\n1\ne\nc\nc\ne\n\n\n0\nx\n5\n5\n4\n7\na\n4\n6\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n6\na\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n6\na\n5", "registers": { "esp": 8298412, "edi": 8298436, "eax": 0, "ebp": 8298452, "edx": 158, "ebx": 52737444, "esi": 53046588, "ecx": 0 }, "exception": { "instruction_r": "8b 01 ff 50 28 89 45 dc c7 45 e4 00 00 00 00 c7", "instruction": "mov eax, dword ptr [ecx]", "exception_code": "0xc0000005", "symbol": "", "address": "0x5df1f47" } }, "time": 1574790807.078, "tid": 2872, "flags": {} }, "pid": 1676, "type": "call", "cid": 8005 }, { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "0\nx\n5\n5\n4\ne\nf\n8\n7\n\n\n0\nx\n5\n5\n4\ne\na\nb\nf\n\n\n0\nx\n5\n5\n4\ne\n4\nf\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n6\nd\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n6\nd\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n0\nc\n5\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n0\n6\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n2\n0\n6\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n0\ne\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n0\n5\n9\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\nd\na\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n7\n6\n1\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n7\n6\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n4\n3\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\n9\nd\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\nb\n3\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\nb\n3\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n3\n8\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\na\n8\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\na\n8\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\na\n8\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\na\n8\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n3\n8\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n1\n8\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n1\n8\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\n0\nc\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\nf\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\n1\n4\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\n1\n4\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\nb\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\n5\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\nb\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\nb\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n7\n1\n2\n3\nc\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\nf\n0\n3\n1\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\nd\n9\n2\n8\n4\n \n@\n \n0\nx\n6\ne\n4\n2\n9\n2\n8\n4\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\n9\n5\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n9\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\n9\n9\nf\n \n@\n \n0\nx\n6\ne\n4\n6\n9\n9\n9\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\nb\n1\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n7\n5\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\nb\n5\nc\n \n@\n \n0\nx\n6\ne\n4\n6\n9\nb\n5\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\na\n4\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n2\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n8\nc\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n8\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\n9\nf\n2\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n7\nb\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n3\na\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n3\na\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\n9\na\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n8\nc\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\n9\nf\n0\n \n@\n \n0\nx\n6\ne\n3\ne\nc\n9\nf\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n5\nd\n7\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\na\n4\nf\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nd\nd\nc\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nd\nd\nc\n1\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\nf\na\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n2\nc\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\nf\nf\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nc\nf\nf\n1\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\n8\n7\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n2\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n3\n2\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n3\n2\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\ne\nf\n3\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n3\n7\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\nf\n3\nb\n \n@\n \n0\nx\n6\ne\n4\n7\n7\nf\n3\nb\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\ne\n5\n0\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n1\nd\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n9\n8\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n9\n8\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\nd\ne\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n8\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n3\n0\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n3\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\nd\nc\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\na\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\ne\n0\nf\n \n@\n \n0\nx\n6\ne\n4\n7\n7\ne\n0\nf\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nC\nl\ni\ne\nn\nt\nR\ne\nc\nt\n+\n0\nx\nc\n5\n \nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n-\n0\nx\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n2\n7\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n2\n7\n\n\nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n+\n0\nx\n1\nb\n \nS\ne\nt\nR\ne\nc\nt\nE\nm\np\nt\ny\n-\n0\nx\n3\n8\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n4\nd\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n4\nd\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\nc\nd\n3\n \n@\n \n0\nx\n6\ne\nf\nc\n8\nc\nd\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n2\nf\n9\ne\n0\n \n@\n \n0\nx\n6\ne\nf\nf\nf\n9\ne\n0\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\n4\nf\na\n \n@\n \n0\nx\n6\ne\nf\nc\n8\n4\nf\na\n\n\n0\nx\na\n4\n0\na\n6\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\nc\ne\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n1\nc\nf\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n7\n9\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n7\n9\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n1\n3\n4\n1\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n4\n7\n5\nc\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n3\n8\ne\nc\n \n@\n \n0\nx\n6\ne\n3\nb\n3\n8\ne\nc\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n5\n9\nb\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\n0\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nb\n4\n6\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nb\n4\n6\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n9\nf\n9\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\na\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nf\na\n4\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nf\na\n4\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n4\nd\n5\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\nc\n8\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\na\n8\n0\n \n@\n \n0\nx\n6\ne\n3\nb\n4\na\n8\n0\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\na\n9\n3\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\n0\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n5\n0\n3\ne\n \n@\n \n0\nx\n6\ne\n3\nb\n5\n0\n3\ne\n\n\nS\no\nf\nt\nw\na\nr\ne\nU\np\nd\na\nt\ne\nM\ne\ns\ns\na\ng\ne\nB\no\nx\n+\n0\nx\n2\n7\n8\n9\n6\n \nI\nE\nA\ns\ns\no\nc\ni\na\nt\ne\nT\nh\nr\ne\na\nd\nW\ni\nt\nh\nT\na\nb\n-\n0\nx\n2\nb\n5\n8\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\nf\n0\n2\n2\n3\n \n@\n \n0\nx\n6\ne\n5\n4\n0\n2\n2\n3\n\n\nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n3\nd\nf\n0\n2\n \nG\ne\nt\nP\nr\ni\nv\na\nt\ne\nC\no\nn\nt\ne\nx\nt\ns\nP\ne\nr\nf\nC\no\nu\nn\nt\ne\nr\ns\n-\n0\nx\n1\n9\n7\n9\n7\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n9\n4\n1\n6\n8\n \n@\n \n0\nx\n7\n0\nc\ne\n4\n1\n6\n8\n\n\n0\nx\n5\n6\nf\n0\n6\na\ne\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n1\nb\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n1\nb\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n7\nb\n9\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n7\nb\n9\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n9\n4\ne\nc\nc\ne\n \n@\n \n0\nx\n6\nf\n7\n1\ne\nc\nc\ne\n\n\n0\nx\n5\n5\n4\n7\na\n4\n6\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n6\na\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n6\na\n5\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n1\n4\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n1\n4\n5\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n6\nd\n7\n1\n \n@\n \n0\nx\n6\ne\nf\nc\n6\nd\n7\n1", "registers": { "esp": 8298508, "edi": 8298888, "eax": 0, "ebp": 8298904, "edx": 52542852, "ebx": 52737444, "esi": 52177724, "ecx": 0 }, "exception": { "instruction_r": "8b 01 ff 50 48 8b c8 8b 15 f4 91 1c 04 8b 01 ff", "instruction": "mov eax, dword ptr [ecx]", "exception_code": "0xc0000005", "symbol": "", "address": "0x5df05c9" } }, "time": 1574790807.375, "tid": 2872, "flags": {} }, "pid": 1676, "type": "call", "cid": 9354 } ], "references": [], "name": "raises_exception" }, { "markcount": 147, "families": [], "description": "Allocates read-write-execute memory (usually to unpack itself)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74ac1000" }, "time": 1574790785.969, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 68 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74a91000" }, "time": 1574790786.141, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 509 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x70c51000" }, "time": 1574790786.453, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 85 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74634000" }, "time": 1574790786.453, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 87 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x70c51000" }, "time": 1574790786.469, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 222 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0096a000" }, "time": 1574790786.484, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 345 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 8192, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x70c52000" }, "time": 1574790786.484, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 346 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00962000" }, "time": 1574790786.484, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 347 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00972000" }, "time": 1574790786.5, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 456 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x64021000" }, "time": 1574790786.5, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 483 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x75ce1000" }, "time": 1574790786.5, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 485 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x749e1000" }, "time": 1574790786.5, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 487 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x745b1000" }, "time": 1574790786.531, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 640 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x760d1000" }, "time": 1574790786.563, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 934 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74531000" }, "time": 1574790786.578, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 1219 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74511000" }, "time": 1574790786.578, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 1221 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x744d1000" }, "time": 1574790786.578, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 1231 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74491000" }, "time": 1574790786.641, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 1672 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x75b61000" }, "time": 1574790786.641, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 1674 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74481000" }, "time": 1574790786.656, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 1966 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x743e1000" }, "time": 1574790786.984, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2050 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74391000" }, "time": 1574790786.984, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2052 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x77311000" }, "time": 1574790786.984, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2071 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x77b61000" }, "time": 1574790786.984, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2073 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x74381000" }, "time": 1574790787.078, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2122 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x73b11000" }, "time": 1574790787.078, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2162 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x73af1000" }, "time": 1574790787.078, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2250 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x73a71000" }, "time": 1574790792.344, "tid": 2468, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 2466 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x750a1000" }, "time": 1574790806.141, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 3795 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x73a51000" }, "time": 1574790806.141, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 1676, "type": "call", "cid": 3807 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00973000" }, "time": 1574790806.313, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4877 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009bb000" }, "time": 1574790806.313, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4889 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b7000" }, "time": 1574790806.313, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4890 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0097c000" }, "time": 1574790806.313, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4931 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x05540000" }, "time": 1574790806.313, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4941 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00975000" }, "time": 1574790806.328, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4942 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00986000" }, "time": 1574790806.328, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4943 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00976000" }, "time": 1574790806.328, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4945 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00977000" }, "time": 1574790806.328, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 4947 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0098a000" }, "time": 1574790806.359, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5062 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00987000" }, "time": 1574790806.359, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5063 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00978000" }, "time": 1574790806.359, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5104 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0099a000" }, "time": 1574790806.359, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5113 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00992000" }, "time": 1574790806.359, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5126 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b5000" }, "time": 1574790806.375, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5154 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x05541000" }, "time": 1574790806.391, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5183 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00979000" }, "time": 1574790806.391, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5189 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x05542000" }, "time": 1574790806.391, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5194 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0099c000" }, "time": 1574790806.406, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5196 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1676, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x05560000" }, "time": 1574790806.406, "tid": 2872, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 1676, "type": "call", "cid": 5200 } ], "references": [], "name": "allocates_rwx" }, { "markcount": 2, "families": [], "description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation", "severity": 2, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetDiskFreeSpaceW", "return_value": 1, "arguments": { "root_path": "\\", "sectors_per_cluster": 8, "number_of_free_clusters": 5740756, "total_number_of_clusters": 8362495, "bytes_per_sector": 512 }, "time": 1574790785.969, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 59 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetDiskFreeSpaceW", "return_value": 1, "arguments": { "root_path": "\\", "sectors_per_cluster": 8, "number_of_free_clusters": 5740756, "total_number_of_clusters": 8362495, "bytes_per_sector": 512 }, "time": 1574790785.969, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 76 } ], "references": [], "name": "antivm_disk_size" }, { "markcount": 1, "families": [], "description": "Drops an executable to the user AppData folder", "severity": 2, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "type": "ioc", "description": null } ], "references": [], "name": "exe_appdata" }, { "markcount": 3, "families": [], "description": "Executes one or more WMI queries", "severity": 2, "marks": [ { "category": "wmi", "ioc": "select * from Win32_OperatingSystem", "type": "ioc", "description": null }, { "category": "wmi", "ioc": "SELECT * FROM Win32_PhysicalMedia", "type": "ioc", "description": null }, { "category": "wmi", "ioc": "Select ProcessorId From Win32_processor", "type": "ioc", "description": null } ], "references": [], "name": "has_wmi" }, { "markcount": 1, "families": [], "description": "Checks adapter addresses which can be used to detect virtual network interfaces", "severity": 2, "marks": [ { "call": { "category": "network", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741772, "api": "GetAdaptersAddresses", "return_value": 111, "arguments": { "flags": 15, "family": 0 }, "time": 1574790787.078, "tid": 2468, "flags": {} }, "pid": 1676, "type": "call", "cid": 2254 } ], "references": [], "name": "antivm_network_adapters" }, { "markcount": 2, "families": [], "description": "The binary likely contains encrypted or compressed data indicative of a packer", "severity": 2, "marks": [ { "entropy": 7.7833856490976565, "section": { "size_of_data": "0x001ef800", "virtual_address": "0x0000c000", "entropy": 7.7833856490976565, "name": ".rsrc", "virtual_size": "0x001ef800" }, "type": "generic", "description": "A section with a high entropy has been found" }, { "entropy": 0.9838669645073219, "type": "generic", "description": "Overall entropy of this PE file is high" } ], "references": [ "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html", "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "name": "packer_entropy" }, { "markcount": 1, "families": [], "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege", "severity": 2, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1574790806.5, "tid": 2872, "flags": {} }, "pid": 1676, "type": "call", "cid": 5483 } ], "references": [], "name": "privilege_luid_check" }, { "markcount": 1, "families": [], "description": "Executes one or more WMI queries which can be used to identify virtual machines", "severity": 2, "marks": [ { "category": "wmi", "ioc": "Select ProcessorId From Win32_processor", "type": "ioc", "description": null } ], "references": [], "name": "wmi_antivm" }, { "markcount": 1, "families": [], "description": "Installs itself for autorun at Windows startup", "severity": 3, "marks": [ { "type": "generic", "reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0", "reg_value": "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\\"" } ], "references": [], "name": "persistence_autorun" }, { "markcount": 6, "families": [], "description": "Attempts to modify browser security settings", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe", "type": "ioc", "description": null } ], "references": [], "name": "browser_security" }, { "markcount": 2, "families": [], "description": "Attempts to create or modify system certificates", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob", "type": "ioc", "description": null } ], "references": [], "name": "modifies_certificates" }, { "markcount": 1, "families": [], "description": "Uses Sysinternals tools in order to add additional command line functionality", "severity": 3, "marks": [ { "category": "cmdline", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe", "type": "ioc", "description": null } ], "references": [ "docs.microsoft.com\/en-us\/sysinternals\/downloads\/" ], "name": "sysinternals_tools_usage" } ]
The Yara rules did not detect anything in the file.
{ "tls": [], "udp": [ { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 662, "time": 6.218070983886719, "dport": 137, "sport": 137 }, { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 13118, "time": 12.217803955078125, "dport": 138, "sport": 138 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 14962, "time": 9.16071891784668, "dport": 5355, "sport": 49840 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 15282, "time": 6.154805898666382, "dport": 5355, "sport": 51001 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 15610, "time": 14.348017930984497, "dport": 5355, "sport": 52259 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 15930, "time": 4.1614110469818115, "dport": 5355, "sport": 53595 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 16258, "time": 6.162499904632568, "dport": 5355, "sport": 53848 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 16586, "time": 24.136492013931274, "dport": 5355, "sport": 54237 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 16906, "time": 4.6595189571380615, "dport": 5355, "sport": 54255 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 17234, "time": 19.523442029953003, "dport": 5355, "sport": 54335 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 17554, "time": 3.051319122314453, "dport": 5355, "sport": 55314 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 17882, "time": 6.474728107452393, "dport": 5355, "sport": 55880 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 18202, "time": 23.801321029663086, "dport": 5355, "sport": 58989 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 18522, "time": 21.542927980422974, "dport": 5355, "sport": 59548 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 18842, "time": 26.384418964385986, "dport": 5355, "sport": 60071 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 19162, "time": 27.52581000328064, "dport": 5355, "sport": 62601 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 19482, "time": 16.92945909500122, "dport": 5355, "sport": 63506 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 19802, "time": 24.927303075790405, "dport": 5355, "sport": 63646 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 20122, "time": 11.76521897315979, "dport": 5355, "sport": 64017 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 20442, "time": 4.67561411857605, "dport": 1900, "sport": 1900 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 39852, "time": 4.179297924041748, "dport": 3702, "sport": 49152 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 48236, "time": 6.249229907989502, "dport": 1900, "sport": 53598 } ], "dns_servers": [], "http": [], "icmp": [], "smtp": [], "tcp": [], "smtp_ex": [], "mitm": [], "hosts": [], "pcap_sha256": "b471fbf44c4dc72a901e558c3699d69f33b2a6a1d17335b4ec58274eee2aeb16", "dns": [], "http_ex": [], "domains": [], "dead_hosts": [], "sorted_pcap_sha256": "e609e18f3cb1f0996281fd91a90da0cb3c19ceccb5d3b68b993fcd2e414fdc15", "irc": [], "https_ex": [] }
The instructions below shows how to remove pupdate.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the pupdate.exe file for removal, restart your computer and scan it again to verify that pupdate.exe has been successfully removed. Here are the removal instructions in more detail:
Property | Value |
---|---|
MD5 | 8baadc8e0e4cb99aee39ec695f57d2ca |
SHA256 | 726fbfbd089ab537d9856d85281e07bc9e13906558169087551f875bc952b6b1 |
These are some of the error messages that can appear related to pupdate.exe:
pupdate.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
pupdate.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Win32 Cabinet Self-Extractor has stopped working.
End Program - pupdate.exe. This program is not responding.
pupdate.exe is not a valid Win32 application.
pupdate.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
To help other users, please let us know what you will do with pupdate.exe:
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.